GitHub Actions issuing GitHub Access tokens from GitHub Apps should limit repositories.
This policy supports the following actions.
- https://github.com/tibdex/github-app-token
- https://github.com/actions/create-github-app-token
https://github.com/tibdex/github-app-token
❌
- uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{secrets.APP_ID}}
private_key: ${{secrets.PRIVATE_KEY}}⭕
- uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{secrets.APP_ID}}
private_key: ${{secrets.PRIVATE_KEY}}
repositories: >-
["${{github.event.repository.name}}"]https://github.com/actions/create-github-app-token
❌
- uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 # v1.6.1
with:
app-id: ${{vars.APP_ID}}
private-key: ${{secrets.PRIVATE_KEY}}
owner: ${{github.repository_owner}}⭕
- uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 # v1.6.1
with:
app-id: ${{vars.APP_ID}}
private-key: ${{secrets.PRIVATE_KEY}}
owner: ${{github.repository_owner}}
repositories: "repo1,repo2"Or
If owner and repositories are empty, access will be scoped to only the current repository.
- uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 # v1.6.1
with:
app-id: ${{vars.APP_ID}}
private-key: ${{secrets.PRIVATE_KEY}}The scope of access tokens should be limited.
We don't recommend, but if you want to ignore the violation of this policy, please configure it with the configuration file.
e.g.
ghalint.yaml
excludes:
- policy_name: github_app_should_limit_repositories
workflow_file_path: .github/workflows/actionlint.yaml
job_name: actionlint
step_id: create_token- workflow:
policy_name,workflow_file_path,job_name,step_idare required. - action:
policy_name,action_file_path,step_idare required.