GITHUB_TOKEN
Learn whatGITHUB_TOKEN is, how it works, and why it matters for secure automation in GitHub Actions workflows.
In this article
About theGITHUB_TOKEN
At the start of each workflow job, GitHub automatically creates a uniqueGITHUB_TOKEN secret to use in your workflow. You can use theGITHUB_TOKEN to authenticate in the workflow job.
When you enable GitHub Actions, GitHub installs a GitHub App on your repository. TheGITHUB_TOKEN secret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow. For more information, seeWorkflow syntax for GitHub Actions.
Before each job begins, GitHub fetches an installation access token for the job. TheGITHUB_TOKEN expires when a job finishes or after a maximum of 24 hours.
The token is also available in thegithub.token context. For more information, seeContexts reference.
WhenGITHUB_TOKEN triggers workflow runs
When you use the repository'sGITHUB_TOKEN to perform tasks, events triggered by theGITHUB_TOKEN, with the exception ofworkflow_dispatch andrepository_dispatch, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository'sGITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run whenpush events occur.
Commits pushed by a GitHub Actions workflow that uses theGITHUB_TOKEN do not trigger a GitHub Pages build.