About the GITHUB_TOKEN secret
At the start of each workflow job, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in the workflow job.
When you enable GitHub Actions, GitHub installs a GitHub App on your repository. The GITHUB_TOKEN secret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow. For more information, see Permissions for the GITHUB_TOKEN.
Before each job begins, GitHub fetches an installation access token for the job. GITHUB_TOKEN 在作业完成或最多 24 小时后过期。
The token is also available in the github.token context. For more information, see 访问有关工作流运行的上下文信息.
Using the GITHUB_TOKEN in a workflow
You can use the GITHUB_TOKEN by using the standard syntax for referencing secrets: ${{ secrets.GITHUB_TOKEN }}. Examples of using the GITHUB_TOKEN include passing the token as an input to an action, or using it to make an authenticated GitHub API request.
重要
An action can access the GITHUB_TOKEN through the github.token context even if the workflow does not explicitly pass the GITHUB_TOKEN to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the GITHUB_TOKEN. For more information, see Permissions for the GITHUB_TOKEN.
使用仓库的 GITHUB_TOKEN 执行任务时,GITHUB_TOKEN 触发的事件(workflow_dispatch 和 repository_dispatch 除外)不会创建新的工作流运行。 这可以防止意外创建递归工作流程运行。 例如,如果工作流运行使用存储库的 GITHUB_TOKEN 推送代码,则即使存储库包含配置为在 push 事件发生时运行的工作流,新工作流也不会运行。
由使用 GITHUB_TOKEN 的 GitHub Actions 工作流推送的提交不会触发 GitHub Pages 生成。
Example 1: passing the GITHUB_TOKEN as an input
此示例工作流程使用 GitHub CLI,该方式需要 GITHUB_TOKEN 作为 GH_TOKEN 输入参数的值:
name: Open new issue
on: workflow_dispatch
jobs:
open-issue:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- run: |
gh issue --repo ${{ github.repository }} \
create --title "Issue title" --body "Issue body"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
name: Open new issue
on: workflow_dispatch
jobs:
open-issue:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- run: |
gh issue --repo ${{ github.repository }} \
create --title "Issue title" --body "Issue body"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Example 2: calling the REST API
You can use the GITHUB_TOKEN to make authenticated API calls. This example workflow creates an issue using the GitHub REST API:
name: Create issue on commit
on: [ push ]
jobs:
create_issue:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Create issue using REST API
run: |
curl --request POST \
--url https://api.github.com/repos/${{ github.repository }}/issues \
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
--header 'content-type: application/json' \
--data '{
"title": "Automated issue for commit: ${{ github.sha }}",
"body": "This issue was automatically created by the GitHub Action workflow **${{ github.workflow }}**. \n\n The commit hash was: _${{ github.sha }}_."
}' \
--fail
Permissions for the GITHUB_TOKEN
For information about the API endpoints GitHub Apps can access with each permission, see GitHub 应用程序所需的权限.
The following table shows the permissions granted to the GITHUB_TOKEN by default. People with admin permissions to an enterprise, organization, or repository, can set the default permissions to be either permissive or restricted. For information on how to set the default permissions for the GITHUB_TOKEN for your enterprise, organization, or repository, see 在企业中为 GitHub Actions 实施策略, 禁用或限制组织的 GitHub Actions, or 管理存储库的 GitHub Actions 设置.
| Scope | Default access (permissive) | Default access (restricted) | Maximum access for pull requests from public forked repositories |
|---|---|---|---|
| actions | read/write | none | read |
| attestations | read/write | none | read |
| checks | read/write | none | read |
| contents | read/write | read | read |
| deployments | read/write | none | read |
| discussions | read/write | none | read |
| id-token | none | none | none |
| issues | read/write | none | read |
| metadata | read | read | read |
| models | read | none | none |
| packages | read/write | read | read |
| pages | read/write | none | read |
| pull-requests | read/write | none | read |
| security-events | read/write | none | read |
| statuses | read/write | none | read |
注意
- When a workflow is triggered by the
pull_request_targetevent, theGITHUB_TOKENis granted read/write repository permission, even when it is triggered from a public fork. For more information, see 触发工作流的事件. - Private repositories can control whether pull requests from forks can run workflows, and can configure the permissions assigned to
GITHUB_TOKEN. For more information, see 管理存储库的 GitHub Actions 设置. - Dependabot 拉取请求触发的工作流运行就像是来自存储库分支一样,因此使用只读
GITHUB_TOKEN。 这些工作流程运行无法访问任何密钥。 有关保护这些工作流安全的策略的信息,请参阅“Security hardening for GitHub Actions”。
Modifying the permissions for the GITHUB_TOKEN
You can modify the permissions for the GITHUB_TOKEN in individual workflow files. If the default permissions for the GITHUB_TOKEN are restrictive, you may have to elevate the permissions to allow some actions and commands to run successfully. If the default permissions are permissive, you can edit the workflow file to remove some permissions from the GITHUB_TOKEN. As a good security practice, you should grant the GITHUB_TOKEN the least required access.
You can see the permissions that GITHUB_TOKEN had for a specific job in the "Set up job" section of the workflow run log. For more information, see Using workflow run logs.
You can use the permissions key in your workflow file to modify permissions for the GITHUB_TOKEN for an entire workflow or for individual jobs. This allows you to configure the minimum required permissions for a workflow or job.
可以使用 permissions 密钥添加和删除分叉存储库的读取权限,但通常不能授予其写入权限。 此行为的例外情况是,管理员用户已在 GitHub Actions 设置中选择了“通过拉取请求向工作流发送写入令牌”选项。 有关详细信息,请参阅“管理存储库的 GitHub Actions 设置”。
The two workflow examples earlier in this article show the permissions key being used at the job level, as it is best practice to limit the permissions' scope.
For full details of the permissions key, see GitHub Actions 的工作流语法.
注意
Organization and enterprise owners can prevent you from granting write access to the GITHUB_TOKEN at the repository level. For more information, see 禁用或限制组织的 GitHub Actions and 在企业中为 GitHub Actions 实施策略.
When the permissions key is used, all unspecified permissions are set to no access, with the exception of the metadata scope, which always gets read access.
How the permissions are calculated for a workflow job
The permissions for the GITHUB_TOKEN are initially set to the default setting for the enterprise, organization, or repository. If the default is set to the restricted permissions at any of these levels then this will apply to the relevant repositories. For example, if you choose the restricted default at the organization level then all repositories in that organization will use the restricted permissions as the default. The permissions are then adjusted based on any configuration within the workflow file, first at the workflow level and then at the job level. Finally, if the workflow was triggered by a pull request from a forked repository, and the Send write tokens to workflows from pull requests setting is not selected, the permissions are adjusted to change any write permissions to read only.
Granting additional permissions
If you need a token that requires permissions that aren't available in the GITHUB_TOKEN, you can create a GitHub App and generate an installation access token within your workflow. For more information, see 使用 GitHub Actions 工作流中的 GitHub App 发出经过身份验证的 API 请求. Alternatively, you can create a personal access token, store it as a secret in your repository, and use the token in your workflow with the ${{ secrets.SECRET_NAME }} syntax. For more information, see 管理个人访问令牌 and Using secrets in GitHub Actions.