Skip to main content

GitHub Access Token

tfaction requires a GitHub Access Token.

Use GitHub App instead of the secret GITHUB_TOKEN

Some actions pushes commits to pull requests or create new pull requests, but the secret GITHUB_TOKEN doesn't trigger a GitHub Actions workflow run.

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN will not create a new workflow run.

So we recommend issuing an access token from a GitHub App. There are some GitHub Actions to issue an access token from a GitHub App.

To create a GitHub App, please see the official document.

You can also use a personal access token, but we recommend GitHub App in terms of security.

Required permissions of the secret GITHUB_TOKEN

If you use OIDC, probably the permission id-token: write is required.

id-token: write

Required permissions of GitHub Access token

Refer to tfaction-example

About the permission, please see tfaction-example too.

tfaction composes of multiple actions, and each action requires different permissions. So in terms of the least privilege, you should issue a token per action. From the example, you can see what permissions each action requires.