Skip to content
unlock

GitHub Action

Create GitHub App Token using OpenID Connect

v1.0.3 Latest version

Create GitHub App Token using OpenID Connect

unlock

Create GitHub App Token using OpenID Connect

Run GitHub Actions as a GitHub App instead of using secrets.GITHUB_TOKEN or a personal access token

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Create GitHub App Token using OpenID Connect

uses: shogo82148/actions-github-app-token@v1.0.3

Learn more about this action in shogo82148/actions-github-app-token

Choose a version

actions-github-app-token

A GitHub Action that generates a GitHub App Installation Token.

Motivation

There are several ways to use tokens in GitHub Actions. However, they have some limitations.

The action provides the GitHub Token Vending API to manage token permissions.

Usage

Install the GitHub App

Create a new your own GitHub App, or install My Demonstration App.

Deploy the GitHub Token Vending API

Install the AWS SAM CLI, and deploy the API to your AWS Account.

cd provider/
sam build
sam deploy

Use the Action in Your Workflow

jobs:
  job:
    runs-on: ubuntu-latest
    # use GitHub Actions OIDC Token
    permissions:
      id-token: write
      contents: read

    steps:
      - id: generate
        uses: shogo82148/actions-github-app-token@v1
        # Optional (defaults to My Demonstration App).
        # with:
        #   provider-endpoint: https://EXAMPLE.execute-api.us-east-1.amazonaws.com/
      - run: |
          gh issue create --title "Do something using GITHUB_TOKEN"
        env:
          GITHUB_TOKEN: ${{ steps.generate.outputs.token }}

How It Works

How to Work

  1. Request a new credential with OIDC (OpenID Connect) Token.
    The shogo82148/actions-github-app-token action sends a temporary id token to the credential token vendor.
  2. The vendor signs the request using the long term credential.
    The long term credential doesn't leave AWS environment. It keeps the workflow safer.
  3. The vendor a new credential with JWT (JSON Web Token).
  4. GitHub returns a temporary credential.

Related Works