About GitHub secrets and personal access tokens - yunkon-kim/test-on-github-actions GitHub Wiki

About GitHub secrets and personal access tokens

We sometimes see GITHUB_TOKEN secret when using GitHub Actions (e.g., github-token: ${{secrets.GITHUB_TOKEN}}). And also, there is another token which is the personal access tokens (PATs). I would like to describe those and I hope this is helpful for you to understand the secrets and tokens.

This article mainly describes the use of GitHub secrets (e.g., GITHUB_TOKEN secret) in GitHub Actions. PATs will be described briefly. Of course, Those could be used in many ways.

Two Tokens?

Actually, one is the secret and another is the token.

GITHUB_TOKEN secret: This is a secret in a repository.
- You can see this menu on In a repository > Setting > Secrets
Personal access token: This is an alternative to using passwords for authentication to GitHub when using the GitHub API or the command line.
- You can see this menu on Profile image in the top right > Setting > Developer settings > Personal access tokens

Secrets

Secrets include:

encrypted secrets, and
GITHUB_TOKEN secret.

Encrypted secrets

Secrets are encrypted environment variables that you create in a repository or organization. The secrets you create are available to use in GitHub Actions workflows.

Please, see Encrypted secrets from GitHub Docs.

GITHUB_TOKEN secret

GitHub automatically creates a GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in a workflow run.

Please, see Authentication in a workflow from GitHub Docs.

Personal access tokens

You should create a personal access token to use in place of a password with the command line or with the API.

How to create a personal access token

Please, see Creating a personal access token from GitHub Docs.

Example

To authenticate against the GitHub Container Registry, you will need to create a new personal access token (PAT) with the appropriate scopes. (see here)