Generate short-lived installation tokens from GitHub App credentials with actions/create-github-app-token. Organization-scoped and repository-scoped patterns for automated cross-repo workflows.
Generate short-lived GitHub App installation tokens for automated cross-repository workflows. Use when you need organization-wide or repository-scoped access for CI/CD automation without user interaction.
/plugin marketplace add adaptive-enforcement-lab/claude-skills/plugin install patterns@ael-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
examples.mdreference.mdscripts/example-1.mermaidscripts/example-2.yamlscripts/example-3.yamlscripts/example-4.yamlInstallation tokens authenticate your GitHub App for specific repository operations. They enable:
Token Limitations
- 1-hour expiration (automatic refresh available)
- Requires GitHub App installation on target repositories
- Permissions limited to app's configured scope
- Cannot perform user-attributed actions
Installation tokens provide automated, secure access to repositories where your GitHub App is installed. Use installation tokens for GitHub Actions workflows, CI/CD automation, and cross-repository operations.
When to Use Installation Tokens
Installation tokens are for automated repository operations. Use JWT for app-level operations and OAuth for user-attributed actions.
Installation tokens authenticate your GitHub App for specific repository operations. They enable:
Token Limitations
- 1-hour expiration (automatic refresh available)
- Requires GitHub App installation on target repositories
- Permissions limited to app's configured scope
- Cannot perform user-attributed actions
See examples.md for detailed code examples.
Generate a token scoped to the current repository.
See examples.md for detailed code examples.
Output: Token accessible via ${{ steps.app_token.outputs.token }}
Scope: Current repository only (where workflow runs)
Generate tokens with access to all repositories where the app is installed.
See examples.md for detailed code examples.
Owner Parameter is Critical
- With
owner: Access all repositories in the organization- Without
owner: Access only the current repository- Must match your GitHub organization name exactly
Use cases:
Limit token access to specific repositories for enhanced security.
See examples.md for detailed code examples.
Security Best Practice
Use repository-scoped tokens when you know exactly which repositories need access. This follows the principle of least privilege.
Benefits:
Don't Use Installation Tokens For
- User-attributed actions - Use OAuth instead
- App-level operations - Use JWT (list installations, get app manifest)
- Public repository read-only access - Use
GITHUB_TOKENif simpler- Personal repository access - Use OAuth for user's private repos
- Operations requiring user identity - Actions appear as "bot" with installation tokens
Installation tokens authenticate your GitHub App for specific repository operations. They enable:
Token Limitations
- 1-hour expiration (automatic refresh available)
- Requires GitHub App installation on target repositories
- Permissions limited to app's configured scope
- Cannot perform user-attributed actions
See examples.md for detailed code examples.
Generate a token scoped to the current repository.
See examples.md for detailed code examples.
Output: Token accessible via ${{ steps.app_token.outputs.token }}
Scope: Current repository only (where workflow runs)
Generate tokens with access to all repositories where the app is installed.
See examples.md for detailed code examples.
Owner Parameter is Critical
- With
owner: Access all repositories in the organization- Without
owner: Access only the current repository- Must match your GitHub organization name exactly
Use cases:
Limit token access to specific repositories for enhanced security.
See examples.md for detailed code examples.
Security Best Practice
Use repository-scoped tokens when you know exactly which repositories need access. This follows the principle of least privilege.
Benefits:
Don't Use Installation Tokens For
- User-attributed actions - Use OAuth instead
- App-level operations - Use JWT (list installations, get app manifest)
- Public repository read-only access - Use
GITHUB_TOKENif simpler- Personal repository access - Use OAuth for user's private repos
- Operations requiring user identity - Actions appear as "bot" with installation tokens
See examples.md for code examples.
See reference.md for complete documentation.