(Reusable) Workflows & GITHUB_TOKEN: advice to use PAT in docs? #21068
-
When a Github Actions workflow is started, the docs state that the Github Actions app sets a new short-lived token via the Isn't it ill adviced then to still leverage a (long lived) Personal Access Token if you want more permissions? Are there still cases where this would be needed? This is what I still find in the docs: |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
The main reasons I'm aware of:
From a security point of view it's certainly good to carefully consider whether those are really necessary. 🙂 |
Beta Was this translation helpful? Give feedback.
The main reasons I'm aware of:
GITHUB_TOKEN
is scoped to the repository, so it can't do that.GITHUB_TOKEN
never do that to avoid unintentional recursive runs.From a security point of view it's certainly good to carefully consider whether those are really necessary. 🙂