| | --- |
| | title: Use GITHUB_TOKEN for authentication in workflows |
| | intro: 'Learn how to use the `GITHUB_TOKEN` to authenticate on behalf of {% data variables.product.prodname_actions %}.' |
| | redirect_from: |
| | - /github/automating-your-workflow-with-github-actions/authenticating-with-the-github_token |
| | - /actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token |
| | - /actions/configuring-and-managing-workflows/authenticating-with-the-github_token |
| | - /actions/reference/authentication-in-a-workflow |
| | - /actions/security-guides/automatic-token-authentication |
| | - /actions/security-for-github-actions/security-guides/automatic-token-authentication |
| | - /actions/how-tos/security-for-github-actions/security-guides/automatic-token-authentication |
| | - /actions/how-tos/security-for-github-actions/security-guides/use-github_token-in-workflows |
| | - /actions/using-jobs/assigning-permissions-to-jobs |
| | - /actions/writing-workflows/choosing-what-your-workflow-does/assigning-permissions-to-jobs |
| | - /actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github-token |
| | - /actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token |
| | - /actions/how-tos/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token |
| | - /actions/tutorials/use-github_token-in-workflows |
| | versions: |
| | fpt: '*' |
| | ghes: '*' |
| | ghec: '*' |
| | shortTitle: Authenticate with GITHUB_TOKEN |
| | --- |
| | |
| | This tutorial leads you through how to use the `GITHUB_TOKEN` for authentication in {% data variables.product.prodname_actions %} workflows, including examples for passing the token to actions, making API requests, and configuring permissions for secure automation. |
| | |
| | For reference information, see [AUTOTITLE](/actions/reference/workflow-syntax-for-github-actions#permissions). |
| | |
| | ## Using the `GITHUB_TOKEN` in a workflow |
| |
|
| | You can use the `GITHUB_TOKEN` by using the standard syntax for referencing secrets: {% raw %}`${{ secrets.GITHUB_TOKEN }}`{% endraw %}. Examples of using the `GITHUB_TOKEN` include passing the token as an input to an action, or using it to make an authenticated {% data variables.product.github %} API request. |
| |
|
| | > [!IMPORTANT] |
| | > An action can access the `GITHUB_TOKEN` through the `github.token` context even if the workflow does not explicitly pass the `GITHUB_TOKEN` to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the `GITHUB_TOKEN`. For more information, see [AUTOTITLE](/actions/reference/workflow-syntax-for-github-actions#permissions). |
| | |
| | ### Example 1: passing the `GITHUB_TOKEN` as an input |
| |
|
| | {% data reusables.actions.github_token-input-example %} |
| | |
| | ### Example 2: calling the REST API |
| | |
| | You can use the `GITHUB_TOKEN` to make authenticated API calls. This example workflow creates an issue using the {% data variables.product.prodname_dotcom %} REST API: |
| | |
| | ```yaml |
| | name: Create issue on commit |
| | |
| | on: [ push ] |
| | |
| | jobs: |
| | create_issue: |
| | runs-on: ubuntu-latest |
| | permissions: |
| | issues: write |
| | steps: |
| | - name: Create issue using REST API |
| | run: | |
| | curl --request POST \ |
| | --url {% data variables.product.rest_url %}/repos/${% raw %}{{ github.repository }}{% endraw %}/issues \ |
| | --header 'authorization: Bearer ${% raw %}{{ secrets.GITHUB_TOKEN }}{% endraw %}' \ |
| | --header 'content-type: application/json' \ |
| | --data '{ |
| | "title": "Automated issue for commit: ${% raw %}{{ github.sha }}{% endraw %}", |
| | "body": "This issue was automatically created by the GitHub Action workflow **${% raw %}{{ github.workflow }}{% endraw %}**. \n\n The commit hash was: _${% raw %}{{ github.sha }}{% endraw %}_." |
| | }' \ |
| | --fail |
| | ``` |
| | |
| | ## Modifying the permissions for the `GITHUB_TOKEN` |
| | |
| | Use the `permissions` key in your workflow file to modify permissions for the `GITHUB_TOKEN` for an entire workflow or for individual jobs. This allows you to configure the minimum required permissions for a workflow or job. As a good security practice, you should grant the `GITHUB_TOKEN` the least required access. |
| | |
| | To see the list of permissions available for use and their parameterized names, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#account-permissions). |
| | |
| | The two workflow examples earlier in this article show the `permissions` key being used at the job level. |
| | |
| | ## Granting additional permissions |
| | |
| | If you need a token that requires permissions that aren't available in the `GITHUB_TOKEN`, create a {% data variables.product.prodname_github_app %} and generate an installation access token within your workflow. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). Alternatively, you can create a {% data variables.product.pat_generic %}, store it as a secret in your repository, and use the token in your workflow with the {% raw %}`${{ secrets.SECRET_NAME }}`{% endraw %} syntax. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) and [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). |
| |
|
| | ## Next steps |
| |
|
| | * [AUTOTITLE](/actions/concepts/security/github_token) |
| | * [AUTOTITLE](/actions/reference/workflow-syntax-for-github-actions#permissions) |
| |
|
