How to Create and Delete Personal Access Token's with the Github API?

[ScottPierce]

I have a github bot with a personal access token that some github actions use to make commits during some action runs. I'd like to make a script that can automatically swap out this personal access token, and delete the old one. Is this possible with the github API? If it's not possible, is there another mechanism I should be using instead perhaps?

[gr2m]

It is possible using Basic Authentication, but note that authenticating using basic authentication is deprecated.

const { Octokit } = require("@octokit/rest");
const { createBasicAuth } = require("@octokit/auth-basic");

const octokit = new Octokit({
  authStrategy: createBasicAuth,
  auth: {
    username,
    password,
    token: {
      scopes: ["repo"],
    },
    async on2Fa() {
      throw new Error("2Fa not supported for bot accounts");
    },
  },
});

This will transparently create a personal access token the first time you send a request with the octokit instance. When you are done with everything else, delete the token using

const authorization = await octokit.auth({ type: "token" });
await octokit.request("DELETE /authorizations/:authorization_id", {
  authorization_id: authorization.id,
});

But you mention that you use GitHub Actions. Is there a reason that you cannot use the provided secrets.GITHUB_TOKEN? In case you want to use it for git operations, you need prefix the token, like this

git clone https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/owner/repo.git

The reasons the x-access-token: prefix is necessary is because the GITHUB_TOKEN is an installation access token, in which case it needs to be set as the git pasword, not username. See https://docs.github.com/en/free-pro-team@latest/developers/apps/authenticating-with-github-apps#http-based-git-access-by-an-installation

[ScottPierce]

note that authenticating using basic authentication is deprecated

So does that mean that it's going away?

But you mention that you use GitHub Actions. Is there a reason that you cannot use the provided secrets.GITHUB_TOKEN

When I make a commit with this, GitHub won't trigger another rebuild. i.e. if I have an action run a code style changer with auto-formatting, and then commit the changes with the provided GITHUB_TOKEN, the result won't trigger another build. This means that the latest commit isn't built, and GitHub shows the PR as if it hasn't built, and the status checks aren't passing. This obviously is bad. By having and maintaining my own personal access token, and using it, any commits I make with it inside a github action triggers a rebuild.

[gr2m]

note that authenticating using basic authentication is deprecated

So does that mean that it's going away?

Yes.

But you mention that you use GitHub Actions. Is there a reason that you cannot use the provided secrets.GITHUB_TOKEN

When I make a commit with this, GitHub won't trigger another rebuild. i.e. if I have an action run a code style changer with auto-formatting, and then commit the changes with the provided GITHUB_TOKEN, the result won't trigger another build. This means that the latest commit isn't built, and GitHub shows the PR as if it hasn't built, and the status checks aren't passing. This obviously is bad. By having and maintaining my own personal access token, and using it, any commits I make with it inside a github action triggers a rebuild.

I see. Yes that’s a good reason. I do use personal access tokens for exactly that case. But why would you want them created and deleted each time? I just create one and add a meaningful description.

There is also the alternative to register a GitHub App, install it on the repositories where you need the workflow, and authenticate as the app installation. But you would need to save the app’s private key as repository/organization secret

[ScottPierce]

I see. Yes that’s a good reason. I do use personal access tokens for exactly that case. But why would you want them created and deleted each time? I just create one and add a meaningful description.

Because it's not that difficult to extract the token from a github secret, and it's a security risk. By swapping the token, if someone extracts it, it's not the end of the world, as they will lose access.

[gr2m]

You can implement token rotation by using the REST API endpoints to create/update secrets:

1. https://docs.github.com/en/free-pro-team@latest/rest/reference/actions#create-or-update-a-repository-secret
2. https://docs.github.com/en/free-pro-team@latest/rest/reference/actions#create-or-update-an-organization-secret

That way you can separate the credentials needed to create/delete the tokens from the workflows where you use the tokens. Installation access tokens are great because they expire anyway after 1h. And you can restrict access for an installation access token to a specified repository, and a subset of the permissions that the installation has. E.g. the app needs the secrets:write permission, but you can remove that permission when creating an installation access token.

It all feels like overkill to me though. Can you share in more detail what your use case is please?