Impersonate a GitHub App in a GitHub Action
This JavaScript GitHub Action can be used to impersonate a GitHub App when secrets.GITHUB_TOKEN‘s limitations are too restrictive and a personal access token is not suitable.
For instance, from GitHub Actions’ docs:
When you use the repository’s
GITHUB_TOKENto perform tasks, events triggered by theGITHUB_TOKEN, with the exception ofworkflow_dispatchandrepository_dispatch, will not create a new workflow run.
This prevents you from accidentally creating recursive workflow runs.
For example, if a workflow run pushes code using the repository’sGITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.
A workaround is to use a personal access token from a personal user/bot account.
However, for organizations, GitHub Apps are a more appropriate automation solution.
jobs:job:runs-on: ubuntu-lateststeps:- id: create_tokenuses: tibdex/github-app-token@v2with:app_id: ${{ secrets.APP_ID }}# Optional.# github_api_url: https://api.example.com# Optional.# installation_retrieval_mode: id# Optional.# installation_retrieval_payload: 1337# Optional.# Using a YAML multiline string to avoid escaping the JSON quotes.# permissions: >-# {"pull_requests": "read"}private_key: ${{ secrets.PRIVATE_KEY }}# Optional.# repositories: >-# ["actions/toolkit", "github/docs"]# Optional.# revoke: false- run: "echo 'The created token is masked: ${{ steps.create_token.outputs.token }}'"
Another use case for this action can (or could) be found in GitHub’s own docs.