GitHub API Tokens
2023-08-30
Getting 404's or 403's? Find out about nuances and options when it comes to GitHub API tokens.
The article discusses three types of GitHub API tokens and their key characteristics and potential failure scenarios:
1. GitHub Actions Token
Key Properties:
- Expires in 1 hour by default
- Limited workflow permissions
- Does not trigger workflows
- Cannot bypass certain GitHub protections
Failure Scenarios:
- Build taking longer than an hour
- Unable to publish to GitHub Packages
- Cannot remove branch protection
- Workflows not triggered by commits
2. GitHub Personal Access Token (PAT)
Key Properties:
- Expires in N days by default
- Bound to a single user
- Permissions tied to user's access
Failure Scenarios:
- Token expiration while used as organization secret
- Token becoming invalid when user leaves organization
Note: "Fine-grained (beta)" variant has limited interaction with GitHub features.
3. GitHub App Tokens
Key Properties:
- Managed by organization
- Credentials never expire
- Generates API tokens
Failure Scenarios:
- Not installed on new repositories
- Potential disabling by GitHub for suspicious activity
Important Note: Installing a GitHub App on a repository requires an Administrator's Personal Access Token.