ノート: GitHubホストランナーは、現在GitHub Enterprise Serverでサポートされていません。 GitHubパブリックロードマップで、計画されている将来のサポートに関する詳しい情� �を見ることができます。
About the GITHUB_TOKEN
secret
At the start of each workflow run, GitHub automatically creates a unique GITHUB_TOKEN
secret to use in your workflow. You can use the GITHUB_TOKEN
to authenticate in a workflow run.
When you enable GitHub Actions, GitHub installs a GitHub App on your repository. The GITHUB_TOKEN
secret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow. For more information, see "Permissions for the GITHUB_TOKEN
."
Before each job begins, GitHub fetches an installation access token for the job. The token expires when the job is finished.
The token is also available in the github.token
context. For more information, see "Contexts."
Using the GITHUB_TOKEN
in a workflow
You can use the GITHUB_TOKEN
by using the standard syntax for referencing secrets: ${{ secrets.GITHUB_TOKEN }}
. Examples of using the GITHUB_TOKEN
include passing the token as an input to an action, or using it to make an authenticated GitHub Enterprise Server API request.
When you use the repository's GITHUB_TOKEN
to perform tasks, events triggered by the GITHUB_TOKEN
will not create a new workflow run. これによって、予想外の再帰的なワークフローの実行が生じないようになります。 たとえば、ワークフローの実行によってリポジトリのGITHUB_TOKEN
を使ったコードのプッシュが行われた� �合、そのリポジトリにpush
イベントが生じた際に実行されるよう設定されたワークフローが含まれていても、新しいワークフローの実行は行われません。
Example 1: passing the GITHUB_TOKEN
as an input
以下のワークフローの例ではlabeler actionを使用しています。これには、repo-token
入力パラメータの値としてGITHUB_TOKEN
を渡すことが必要です。
name: Pull request labeler
on: [ pull_request_target ]
jobs:
triage:
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
Example 2: calling the REST API
You can use the GITHUB_TOKEN
to make authenticated API calls. This example workflow creates an issue using the GitHub REST API:
name: Create issue on commit
on: [ push ]
jobs:
create_commit:
runs-on: ubuntu-latest
steps:
- name: Create issue using REST API
run: |
curl --request POST \
--url http(s)://[hostname]/api/v3/repos/${{ github.repository }}/issues \
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
--header 'content-type: application/json' \
--data '{
"title": "Automated issue for commit: ${{ github.sha }}",
"body": "This issue was automatically created by the GitHub Action workflow **${{ github.workflow }}**. \n\n The commit hash was: _${{ github.sha }}_."
}' \
--fail
Permissions for the GITHUB_TOKEN
For information about the API endpoints GitHub Apps can access with each permission, see "GitHub App Permissions."
Scope | Access type | Access by forked repos |
---|---|---|
actions | read/write | read |
checks | read/write | read |
contents | read/write | read |
deployments | read/write | read |
issues | read/write | read |
metadata | read | read |
packages | read/write | read |
pull-requests | read/write | read |
repository-projects | read/write | read |
statuses | read/write | read |
If you need a token that requires permissions that aren't available in the GITHUB_TOKEN
, you can create a personal access token and set it as a secret in your repository:
- Use or create a token with the appropriate permissions for that repository. For more information, see "Creating a personal access token."
- Add the token as a secret in your workflow's repository, and refer to it using the
${{ secrets.SECRET_NAME }}
syntax. For more information, see "Creating and using encrypted secrets."