GitHub API Tokens
Ever ran into a 404 on GitHub trying to access your private resources? Or, maybe a "Resource not accessible by integration"? Sounds like a misconfigured GitHub API token. Below, we've noted some common mistakes involving the use of GitHub API tokens.
Types
GitHub Actions Token
GitHub Actions workflows automatically receive a token with which they can interact with the GitHub API.
| Key Token Property | Failure scenario |
|---|---|
| Expires in 1 hour by default | Your build takes longer than an hour and decides to publish to GitHub Packages at the end: The token to do so has expired. |
| " | Your build timed out after an hour and decides to report this through a pull-request comment: The token to do so has expired. |
| Limited workflow permissions | Your workflow wants to remove branch protection. Even with every permission possible, this cannot be achieved. |
| Does not trigger workflows | Your workflow pushes a commit to the repository it is running in. Unlike all other tokens, GitHub Actions workflow tokens never trigger workflows. |
| Doesn't completely represent a GitHub App, or user | Protections such as branch protection or rulesets can be configured to be automatically bypassed by users or GitHub Apps; A GitHub Actions token will always be blocked by this as it cannot be referenced in these configurations. |
GitHub Personal Access Token
Personal Access Tokens (or "PAT") are managed by and bound to a single user. They share some familiar properties of SSL certificates; They are going to expire and there are multiple authorities which may cause them to be invalidated.
| Key Token Property | Failure scenario |
|---|---|
| Expires in N days by default | A PAT is used as organization secret. Alice is on vacation and the expiration date is reached: The PAT no longer functions. |
| Permissions of a user | A PAT is used as organization secret. Bob leaves the organization: The PAT no longer functions for repositories in the organization. |
Note(August 2023): There exists a "Fine-grained (beta)" variant of the Personal Access Token. These cannot currently interact with many GitHub features such as GitHub Packages, commit statuses and potentially others.
GitHub App Tokens
A GitHub App plays a similar role to a GitHub user. However, it can be managed by an organization rather than a single user. GitHub Apps have their own credentials in the form of a private key which they can use to generate API tokens with. Notably, the credentials to generate tokens with never expire.
| Key Token Property | Failure scenario |
|---|---|
| May require installation on repositories | A new repository is created; The GitHub App is not installed on it and as such it cannot interact with the repository. |
| Can be opaquely disabled by GitHub | GitHub thought your GitHub App was abusing the API or otherwise suspicious; It gets disabled. |
Note that installation of a GitHub App on a repository is a process that can be automated, but you'll need an Administrator's PAT to do so!