This JavaScript GitHub Action can be used to impersonate a GitHub App Installation when secrets.GITHUB_TOKEN's limitations are too restrictive and a personal access token is not suitable.
This action is built with inspiration from tibdex/github-app-installation but with a slightly different
authentication pattern. This action authenticates directly to an app installation, rather than impersonating a repository.
secrets.GITHUB_TOKEN has limitations such as not being able to triggering a new workflow from another workflow.
A workaround is to use a personal access token from a personal user/bot account.
However, for organizations, GitHub Apps are a more appropriate automation solution.
jobs:
job:
runs-on: ubuntu
steps:
- name: Generate installation token
id: generate_installation_token
# You should use a released version number here rather than `main`
uses: jwenz723/github-app-installation-token@main
with:
app_id: ${{ secrets.APP_ID }}
client_id: ${{ secrets.CLIENT_ID }}
client_secret: ${{ secrets.CLIENT_SECRET }}
installation_id: ${{ secrets.INSTALLATION_ID }}
private_key: ${{ secrets.PRIVATE_KEY }}
- name: Use token
env:
TOKEN: ${{ steps.generate_installation_token.outputs.token }}
run: |
echo "The generated token is masked: ${TOKEN}"