{"id":13401657,"url":"https://github.com/actions/create-github-app-token","last_synced_at":"2026-05-13T01:09:57.812Z","repository":{"id":167023156,"uuid":"642580244","full_name":"actions/create-github-app-token","owner":"actions","description":"GitHub Action for creating a GitHub App Installation Access Token","archived":false,"fork":false,"pushed_at":"2026-05-11T19:11:43.000Z","size":6181,"stargazers_count":802,"open_issues_count":21,"forks_count":153,"subscribers_count":12,"default_branch":"main","last_synced_at":"2026-05-11T20:29:14.758Z","etag":null,"topics":["automation","github-actions","hacktoberfest","tokens"],"latest_commit_sha":null,"homepage":"https://github.com/marketplace/actions/create-github-app-token","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/actions.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-05-18T22:34:57.000Z","updated_at":"2026-05-11T19:11:02.000Z","dependencies_parsed_at":"2023-11-12T17:23:07.888Z","dependency_job_id":"0fcec1a2-885d-4323-a767-139d1559a15b","html_url":"https://github.com/actions/create-github-app-token","commit_stats":{"total_commits":120,"total_committers":21,"mean_commits":5.714285714285714,"dds":0.7416666666666667,"last_synced_commit":"25cc3bdc279c3498f554da7599deab2213b272e6"},"previous_names":["gr2m/app-token-action","gr2m/github-app-token-action","actions/github-app-token","actions/create-github-app-token"],"tags_count":74,"template":false,"template_full_name":null,"purl":"pkg:github/actions/create-github-app-token","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/actions%2Fcreate-github-app-token","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/actions%2Fcreate-github-app-token/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/actions%2Fcreate-github-app-token/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/actions%2Fcreate-github-app-token/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/actions","download_url":"https://codeload.github.com/actions/create-github-app-token/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/actions%2Fcreate-github-app-token/sbom","scorecard":{"id":163777,"data":{"date":"2025-08-11","repo":{"name":"github.com/actions/create-github-app-token","commit":"fcc6c288e5046f2c3614766b9abb3c41fc5b56c6"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.7,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":8,"reason":"10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":4,"reason":"Found 9/20 approved changesets -- score normalized to 4","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish-immutable-action.yml:11","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/publish-immutable-action.yml:13","Warn: no topLevel permission defined: .github/workflows/publish-immutable-action.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:15","Warn: topLevel 'contents' permission set to 'write': .github/workflows/update-permission-inputs.yml:15"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":5,"reason":"dependency not pinned by hash detected -- score normalized to 5","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-immutable-action.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/create-github-app-token/publish-immutable-action.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-immutable-action.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/create-github-app-token/publish-immutable-action.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/create-github-app-token/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/create-github-app-token/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/create-github-app-token/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/create-github-app-token/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/create-github-app-token/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/create-github-app-token/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/create-github-app-token/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-permission-inputs.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/create-github-app-token/update-permission-inputs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-permission-inputs.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/create-github-app-token/update-permission-inputs.yml/main?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/release.yml:37","Info:   0 out of  10 GitHub-owned GitHubAction dependencies pinned","Info:   1 out of   2 third-party GitHubAction dependencies pinned","Info:   4 out of   5 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Info: 'stale review dismissal' is required to merge on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Info: codeowner review is required on branch 'main'","Info: 'last push approval' is required to merge on branch 'main'","Info: 'up-to-date branches' is required to merge on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":9,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/actions/.github/SECURITY.md:1","Info: Found linked content: github.com/actions/.github/SECURITY.md:1","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy","Info: Found text in security policy: github.com/actions/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:14"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":7,"reason":"SAST tool is not run on all commits -- score normalized to 7","details":["Warn: 15 commits out of 21 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-16T14:18:03.011Z","repository_id":167023156,"created_at":"2025-08-16T14:18:03.011Z","updated_at":"2025-08-16T14:18:03.011Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32963211,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-12T23:30:32.555Z","status":"ssl_error","status_checked_at":"2026-05-12T23:30:18.191Z","response_time":102,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","github-actions","hacktoberfest","tokens"],"created_at":"2024-07-30T19:01:05.335Z","updated_at":"2026-05-13T01:09:57.802Z","avatar_url":"https://github.com/actions.png","language":"JavaScript","funding_links":[],"categories":["JavaScript"],"sub_categories":[],"readme":"# Create GitHub App Token\n\n[![test](https://github.com/actions/create-github-app-token/actions/workflows/test.yml/badge.svg)](https://github.com/actions/create-github-app-token/actions/workflows/test.yml)\n\nGitHub Action for creating a GitHub App installation access token.\n\n## Usage\n\nIn order to use this action, you need to:\n\n1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app).\n2. [Store the App's Client ID in your repository variables](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_CLIENT_ID`).\n3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets?tool=webui#creating-secrets-for-a-repository) (example: `APP_PRIVATE_KEY`).\n\n\u003e [!IMPORTANT]\n\u003e An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.\n\n### Create a token for the current repository\n\n```yaml\nname: Run tests on staging\non:\n  push:\n    branches:\n      - main\n\njobs:\n  hello-world:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/create-github-app-token@v3\n        id: app-token\n        with:\n          client-id: ${{ vars.APP_CLIENT_ID }}\n          private-key: ${{ secrets.APP_PRIVATE_KEY }}\n      - uses: ./actions/staging-tests\n        with:\n          token: ${{ steps.app-token.outputs.token }}\n```\n\n### Use app token with `actions/checkout`\n\n```yaml\non: [pull_request]\n\njobs:\n  auto-format:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/create-github-app-token@v3\n        id: app-token\n        with:\n          # required\n          client-id: ${{ vars.APP_CLIENT_ID }}\n          private-key: ${{ secrets.APP_PRIVATE_KEY }}\n      - uses: actions/checkout@v6\n        with:\n          token: ${{ steps.app-token.outputs.token }}\n          ref: ${{ github.head_ref }}\n          # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config\n          persist-credentials: false\n      - uses: creyD/prettier_action@v6\n        with:\n          github_token: ${{ steps.app-token.outputs.token }}\n```\n\n### Create a git committer string for an app installation\n\n```yaml\non: [pull_request]\n\njobs:\n  auto-format:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/create-github-app-token@v3\n        id: app-token\n        with:\n          # required\n          client-id: ${{ vars.APP_CLIENT_ID }}\n          private-key: ${{ secrets.APP_PRIVATE_KEY }}\n      - name: Get GitHub App User ID\n        id: get-user-id\n        run: echo \"user-id=$(gh api \"/users/${{ steps.app-token.outputs.app-slug }}[bot]\" --jq .id)\" \u003e\u003e \"$GITHUB_OUTPUT\"\n        env:\n          GH_TOKEN: ${{ steps.app-token.outputs.token }}\n      - id: committer\n        run: echo \"string=${{ steps.app-token.outputs.app-slug }}[bot] \u003c${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com\u003e\"  \u003e\u003e \"$GITHUB_OUTPUT\"\n      - run: echo \"committer string is ${{ steps.committer.outputs.string }}\"\n```\n\n### Configure git CLI for an app's bot user\n\n```yaml\non: [pull_request]\n\njobs:\n  auto-format:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/create-github-app-token@v3\n        id: app-token\n        with:\n          # required\n          client-id: ${{ vars.APP_CLIENT_ID }}\n          private-key: ${{ secrets.APP_PRIVATE_KEY }}\n      - name: Get GitHub App User ID\n        id: get-user-id\n        run: echo \"user-id=$(gh api \"/users/${{ steps.app-token.outputs.app-slug }}[bot]\" --jq .id)\" \u003e\u003e \"$GITHUB_OUTPUT\"\n        env:\n          GH_TOKEN: ${{ steps.app-token.outputs.token }}\n      - run: |\n          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'\n          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'\n      # git commands like commit work using the bot user\n      - run: |\n          git add .\n          git commit -m \"Auto-generated changes\"\n          git push\n```\n\n\u003e [!TIP]\n\u003e The `\u003cBOT USER ID\u003e` is the numeric user ID of the app's bot user, which can be found under `https://api.github.com/users/\u003capp-slug\u003e%5Bbot%5D`.\n\u003e\n\u003e For example, we can check at `https://api.github.com/users/dependabot[bot]` to see the user ID of Dependabot is 49699333.\n\u003e\n\u003e Alternatively, you can use the [octokit/request-action](https://github.com/octokit/request-action) to get the ID.\n\n### Create a token for all repositories in the current owner's installation\n\n```yaml\non: [workflow_dispatch]\n\njobs:\n  hello-world:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/create-github-app-token@v3\n        id: app-token\n        with:\n          client-id: ${{ vars.APP_CLIENT_ID }}\n          private-key: ${{ secrets.APP_PRIVATE_KEY }}\n          owner: ${{ github.repository_owner }}\n      - uses: peter-evans/create-or-update-comment@v4\n        with:\n          token: ${{ steps.app-token.outputs.token }}\n          issue-number: ${{ github.event.issue.number }}\n          body: \"Hello, World!\"\n```\n\n### Create a token for multiple repositories in the current owner's installation\n\n```yaml\non: [issues]\n\njobs:\n  hello-world:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/create-github-app-token@v3\n        id: app-token\n        with:\n          client-id: ${{ vars.APP_CLIENT_ID }}\n          private-key: ${{ secrets.APP_PRIVATE_KEY }}\n          owner: ${{ github.repository_owner }}\n          repositories: |\n            repo1\n            repo2\n      - uses: peter-evans/create-or-update-comment@v4\n        with:\n          token: ${{ steps.app-token.outputs.token }}\n          issue-number: ${{ github.event.issue.number }}\n          body: \"Hello, World!\"\n```\n\n### Create a token for all repositories in another owner's installation\n\n```yaml\non: [issues]\n\njobs:\n  hello-world:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/create-github-app-token@v3\n        id: app-token\n        with:\n          client-id: ${{ vars.APP_CLIENT_ID }}\n          private-key: ${{ secrets.APP_PRIVATE_KEY }}\n          owner: another-owner\n      - uses: peter-evans/create-or-update-comment@v4\n        with:\n          token: ${{ steps.app-token.outputs.token }}\n          issue-number: ${{ github.event.issue.number }}\n          body: \"Hello, World!\"\n```\n\n### Create a token with specific permissions\n\n\u003e [!NOTE]\n\u003e Selected permissions must be granted to the installation of the specified app and repository owner. Setting a permission that the installation does not have will result in an error.\n\n```yaml\non: [issues]\n\njobs:\n  hello-world:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/create-github-app-token@v3\n        id: app-token\n        with:\n          client-id: ${{ vars.APP_CLIENT_ID }}\n          private-key: ${{ secrets.APP_PRIVATE_KEY }}\n          owner: ${{ github.repository_owner }}\n          permission-issues: write\n      - uses: peter-evans/create-or-update-comment@v4\n        with:\n          token: ${{ steps.app-token.outputs.token }}\n          issue-number: ${{ github.event.issue.number }}\n          body: \"Hello, World!\"\n```\n\n### Create tokens for multiple user or organization accounts\n\nYou can use a matrix strategy to create tokens for multiple user or organization accounts.\n\n\u003e [!NOTE]\n\u003e See [this documentation](https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings) for information on using multiline strings in workflows.\n\n```yaml\non: [workflow_dispatch]\n\njobs:\n  set-matrix:\n    runs-on: ubuntu-latest\n    outputs:\n      matrix: ${{ steps.set.outputs.matrix }}\n    steps:\n      - id: set\n        run: echo 'matrix=[{\"owner\":\"owner1\"},{\"owner\":\"owner2\",\"repos\":[\"repo1\"]}]' \u003e\u003e\"$GITHUB_OUTPUT\"\n\n  use-matrix:\n    name: \"@${{ matrix.owners-and-repos.owner }} installation\"\n    needs: [set-matrix]\n    runs-on: ubuntu-latest\n    strategy:\n      matrix:\n        owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }}\n\n    steps:\n      - uses: actions/create-github-app-token@v3\n        id: app-token\n        with:\n          client-id: ${{ vars.APP_CLIENT_ID }}\n          private-key: ${{ secrets.APP_PRIVATE_KEY }}\n          owner: ${{ matrix.owners-and-repos.owner }}\n          repositories: ${{ join(matrix.owners-and-repos.repos) }}\n      - uses: octokit/request-action@v2.x\n        id: get-installation-repositories\n        with:\n          route: GET /installation/repositories\n        env:\n          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}\n      - run: echo \"$MULTILINE_JSON_STRING\"\n        env:\n          MULTILINE_JSON_STRING: ${{ steps.get-installation-repositories.outputs.data }}\n```\n\n### Run the workflow in a github.com repository against an organization in GitHub Enterprise Server\n\n```yaml\non: [push]\n\njobs:\n  create_issue:\n    runs-on: self-hosted\n\n    steps:\n      - name: Create GitHub App token\n        id: create_token\n        uses: actions/create-github-app-token@v3\n        with:\n          client-id: ${{ vars.GHES_APP_CLIENT_ID }}\n          private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }}\n          owner: ${{ vars.GHES_INSTALLATION_ORG }}\n          github-api-url: ${{ vars.GITHUB_API_URL }}\n\n      - name: Create issue\n        uses: octokit/request-action@v2.x\n        with:\n          route: POST /repos/${{ github.repository }}/issues\n          title: \"New issue from workflow\"\n          body: \"This is a new issue created from a GitHub Action workflow.\"\n        env:\n          GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}\n```\n\n### Proxy support\n\nThis action relies on Node.js native proxy support.\n\nIf you set `HTTP_PROXY` or `HTTPS_PROXY`, also set `NODE_USE_ENV_PROXY: \"1\"` on the action step so Node.js honors those variables. If you need proxy bypass rules, set `NO_PROXY` alongside them.\n\n```yaml\n- uses: actions/create-github-app-token@v3\n  id: app-token\n  env:\n    HTTPS_PROXY: http://proxy.example.com:8080\n    NO_PROXY: github.example.com\n    NODE_USE_ENV_PROXY: \"1\"\n  with:\n    client-id: ${{ vars.APP_CLIENT_ID }}\n    private-key: ${{ secrets.APP_PRIVATE_KEY }}\n```\n\n## Inputs\n\n### `client-id` or `app-id`\n\n**Required:** GitHub App Client ID.\n\n\u003e [!NOTE]\n\u003e The legacy `app-id` input is also accepted, but `client-id` is recommended.\n\n### `private-key`\n\n**Required:** GitHub App private key. Escaped newlines (`\\\\n`) will be automatically replaced with actual newlines.\n\nSome other actions may require the private key to be Base64 encoded. To avoid recreating a new secret, it can be decoded on the fly, but it needs to be managed securely. Here is an example of how this can be achieved:\n\n```yaml\nsteps:\n  - name: Decode the GitHub App Private Key\n    id: decode\n    run: |\n      private_key=$(echo \"${{ secrets.APP_PRIVATE_KEY }}\" | base64 -d | awk 'BEGIN {ORS=\"\\\\n\"} {print}' | head -c -2) \u0026\u003e /dev/null\n      echo \"::add-mask::$private_key\"\n      echo \"private-key=$private_key\" \u003e\u003e \"$GITHUB_OUTPUT\"\n  - name: Generate GitHub App Token\n    id: app-token\n    uses: actions/create-github-app-token@v3\n    with:\n      client-id: ${{ vars.APP_CLIENT_ID }}\n      private-key: ${{ steps.decode.outputs.private-key }}\n```\n\n### `owner`\n\n**Optional:** The owner of the GitHub App installation. If empty, defaults to the current repository owner.\n\n### `repositories`\n\n**Optional:** Comma or newline-separated list of repositories to grant access to.\n\n\u003e [!NOTE]\n\u003e If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.\n\n### `permission-\u003cpermission name\u003e`\n\n**Optional:** The permissions to grant to the token. By default, the token inherits all of the installation's permissions. We recommend to explicitly list the permissions that are required for a use case. This follows GitHub's own recommendation to [control permissions of `GITHUB_TOKEN` in workflows](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token). The documentation also lists all available permissions, just prefix the permission key with `permission-` (e.g., `pull-requests` → `permission-pull-requests`).\n\nThe reason we define one `permision-\u003cpermission name\u003e` input per permission is to benefit from type intelligence and input validation built into GitHub's action runner.\n\n### `skip-token-revoke`\n\n**Optional:** If true, the token will not be revoked when the current job is complete.\n\n### `github-api-url`\n\n**Optional:** The URL of the GitHub REST API. Defaults to the URL of the GitHub Rest API where the workflow is run from.\n\n## Outputs\n\n### `token`\n\nGitHub App installation access token.\n\n### `installation-id`\n\nGitHub App installation ID.\n\n### `app-slug`\n\nGitHub App slug.\n\n## How it works\n\nThe action creates an installation access token using [the `POST /app/installations/{installation_id}/access_tokens` endpoint](https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app). By default,\n\n1. The token is scoped to the current repository or `repositories` if set.\n2. The token inherits all the installation's permissions.\n3. The token is set as output `token` which can be used in subsequent steps.\n4. Unless the `skip-token-revoke` input is set to true, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.\n5. The token is masked, it cannot be logged accidentally.\n\n\u003e [!NOTE]\n\u003e Installation permissions can differ from the app's permissions they belong to. Installation permissions are set when an app is installed on an account. When the app adds more permissions after the installation, an account administrator will have to approve the new permissions before they are set on the installation.\n\n## Contributing\n\n[CONTRIBUTING.md](CONTRIBUTING.md)\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factions%2Fcreate-github-app-token","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Factions%2Fcreate-github-app-token","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factions%2Fcreate-github-app-token/lists"}