You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
GitHub Action
Access Tokens for GitHub Actions
v3.0.0
Obtain temporary Access Tokens for GitHub Actions workflows by requesting GitHub App Installation Access Tokens.
Authorization is based on the GitHub Actions OIDC tokens and .github/access.yaml file in the target repositories.
- This GitHub action will request an access token for a Granting Repository from the App Server, authorize by the GitHub Action ID Token (JWT signed by GitHub).
- The App Server requests a GitHub App Installation Token to read
.github/access.yamlfile in Granting Repository. - The App Server reads
.github/access.yamlfile from Granting Repository and determine which permissions should be granted to Requesting Repository, authorized by the GitHub App Installation Token from step2.. - The App Server requests a GitHub App Installation Token with granted permissions for Source Directory and send it back in response to this GitHub action from step
1.. - This GitHub action sets the token as environment variable
$GITHUB_ACCESS_MANAGER_TOKENand as step output${{ steps.access-manager.outputs.GITHUB_ACCESS_MANAGER_TOKEN }}. - Further steps can then utilize this token to access resources of the Granting Repository.
- Create
.github/access.yamlfile - Set
selfto enclosing repository.- This ensures no unintended access in case you fork a repository with
.github/access.yamlfile.
- This ensures no unintended access in case you fork a repository with
- Add
policiesand permissions, see examples below.repositoryvalue supports wildcards*e.g.repository: octa-org/*- ⚠
metadata: readpermission is implicitly always granted.
- Self access to trigger workflows from another workflow
origin: qoomon/example policies: - repository: self permissions: actions: write
- Grant read access to GitHub Packages for an explicit repository
self: qoomon/example policies: - repository: qoomon/sandbox permissions: packages: read
- Grant read access to GitHub Packages for an entire organization
self: qoomon/example policies: - repository: octa-org/* permissions: packages: read
- Clone a remote repository
on: # ... permissions: id-token: write # required to request id-token jobs: build: runs-on: ubuntu-latest steps: - name: Request access token uses: qoomon/github-actions-access-manager@v2 with: repositories: | qoomon/sandbox permissions: | contents:read - name: Clone remote repository run: | git config --global credential.helper store git clone https://_:[email protected]/qoomon/sandbox.git # ...
- Trigger another workflow within the repository
on: # ... permissions: id-token: write # required to request id-token jobs: build: runs-on: ubuntu-latest steps: - name: Request access token id: access-manager uses: qoomon/github-actions-access-manager@v2 with: repositories: self permissions: actions:write - name: Trigger workflow run: | gh workflow run post_deploy_checks.yml \ --ref my-branch \ --field logLevel=debug env: GITHUB_TOKEN: ${{steps.access-manager.outputs.GITHUB_ACCESS_MANAGER_TOKEN}} # ...
- Create a new User App or a new Organizations App
- Fill out mandatory fields
- Deactivate Webhook
- Choose
Repository permissionsyou want to manage or see following suggestions- Actions:
Read and write - Contents:
Read-only - Packages:
Read-only
- Actions:
- Add Mandatory
Repository permissions- Single file:
Read-only- Add file path
.github/access.yaml
- Add file path
- Single file:
- Go to User App Settings or Organizations App Settings
- Click on
Editof your App - Click on
Install App - Choose an account to install your app to
- Fork this repository
- Create Vercel App of your fork
- set root directory to
server/ - set following environment variables. Copy values from User App Details or from Organizations App Details
GITHUB_APP_IDGITHUB_APP_PRIVATE_KEY
- set root directory to
- change default
endpointin github action action.yaml to your vercel app url. - Use your fork as GitHub action to request a access token,
- Start Server
npm --prefix server/ start
- Run GitHub Action
export NODE_ENV=development export ACTIONS_ACCESS_MANAGER_ENDPOINT=http://localhost:3000/v2/access_token export ACTIONS_ID_TOKEN=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImVCWl9jbjNzWFlBZDBjaDRUSEJLSElnT3dPRSIsImtpZCI6Ijc4MTY3RjcyN0RFQzVEODAxREQxQzg3ODRDNzA0QTFDODgwRUMwRTEifQ.eyJqdGkiOiJjOTAzODNiMC01YTVjLTQ2YTMtODUxZi0wYzQwMDRiMWRkYmUiLCJzdWIiOiJyZXBvOnFvb21vbi9naXRodWItYWN0aW9ucy1hY2Nlc3MtbWFuYWdlcjpyZWY6cmVmcy9oZWFkcy9tYWluIiwiYXVkIjoiaHR0cHM6Ly9naXRodWIuY29tL3Fvb21vbiIsInJlZiI6InJlZnMvaGVhZHMvbWFpbiIsInNoYSI6ImE5Yzk1NDYyM2RkYWE5NTVhMmE3ZjJlYjViYWQ5MjJhNDAzZjAwYzgiLCJyZXBvc2l0b3J5IjoicW9vbW9uL2dpdGh1Yi1hY3Rpb25zLWFjY2Vzcy1tYW5hZ2VyIiwicmVwb3NpdG9yeV9vd25lciI6InFvb21vbiIsInJlcG9zaXRvcnlfb3duZXJfaWQiOiIzOTYzMzk0IiwicnVuX2lkIjoiMzI5MjgxMzc4NCIsInJ1bl9udW1iZXIiOiIxIiwicnVuX2F0dGVtcHQiOiIxIiwicmVwb3NpdG9yeV92aXNpYmlsaXR5IjoicHVibGljIiwicmVwb3NpdG9yeV9pZCI6IjUyMjkyNDUzMSIsImFjdG9yX2lkIjoiMzk2MzM5NCIsImFjdG9yIjoicW9vbW9uIiwid29ya2Zsb3ciOiIuZ2l0aHViL3dvcmtmbG93cy90b2tlbi55YW1sIiwiaGVhZF9yZWYiOiIiLCJiYXNlX3JlZiI6IiIsImV2ZW50X25hbWUiOiJ3b3JrZmxvd19kaXNwYXRjaCIsInJlZl90eXBlIjoiYnJhbmNoIiwiam9iX3dvcmtmbG93X3JlZiI6InFvb21vbi9naXRodWItYWN0aW9ucy1hY2Nlc3MtbWFuYWdlci8uZ2l0aHViL3dvcmtmbG93cy90b2tlbi55YW1sQHJlZnMvaGVhZHMvbWFpbiIsImlzcyI6Imh0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20iLCJuYmYiOjE2NjYyOTgxNjEsImV4cCI6MTY2NjI5OTA2MSwiaWF0IjoxNjY2Mjk4NzYxfQ.37dPzBp031doaTq1alL4s1vpn7ODAX8ks2_cPbloJd-Scaf9fbkdZjYON0Ogm0Gu3yURvSusFVbej22KwHYdTmxQh-NyudXpmqTnTI7RY-9ouiEScY0-D9mc7oUI8INb7phwUOdzOECb48HbPNA04MVwJ2YGQwyWBIXixScMMv3Au3g22NK6Kc_-MPXuSCbBzj2ZLyn2g57BMGs_OveFZy0uRzv5YuzS-QdjBgpesWuJrLgE4DPk3YTkpaLC0rTWo4feNUa53TZStrOREODO-TcWgIAkUJBcNoE3vhJJkBn2NFeovxzW5yj_sO3Kq4E24XYtUrXR52z_34yz9hzdsQ INPUT_REPOSITORIES=qoomon/github-actions-access-manager \ INPUT_PERMISSIONS=contents:read \ node index.js
