참고 항목
GitHub 호스트 실행기는 현재 GitHub Enterprise Server에서 지원되지 않습니다. GitHub public roadmap에 예정된 향후 지원에 대해 자세히 알아볼 수 있습니다.
About the GITHUB_TOKEN secret
At the start of each workflow job, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in the workflow job.
When you enable GitHub Actions, GitHub installs a GitHub App on your repository. The GITHUB_TOKEN secret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow. For more information, see Permissions for the GITHUB_TOKEN.
Before each job begins, GitHub fetches an installation access token for the job. GITHUB_TOKEN은 작업이 완료되거나 최대 24시간 후에 만료됩니다.
The token is also available in the github.token context. For more information, see 워크플로 실행에 대한 컨텍스트 정보에 액세스.
Using the GITHUB_TOKEN in a workflow
You can use the GITHUB_TOKEN by using the standard syntax for referencing secrets: ${{ secrets.GITHUB_TOKEN }}. Examples of using the GITHUB_TOKEN include passing the token as an input to an action, or using it to make an authenticated GitHub API request.
중요
An action can access the GITHUB_TOKEN through the github.token context even if the workflow does not explicitly pass the GITHUB_TOKEN to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the GITHUB_TOKEN. For more information, see Permissions for the GITHUB_TOKEN.
리포지토리의 GITHUB_TOKEN을 사용하여 작업을 수행하는 경우 workflow_dispatch 및 repository_dispatch를 제외하고 GITHUB_TOKEN이 트리거하는 이벤트는 새 워크플로 실행을 만들지 않습니다. 이렇게 하면 실수로 재귀 워크플로 실행을 만들지 못하도록 방지됩니다. 예를 들어, 워크플로 실행이 리포지토리의 GITHUB_TOKEN을 사용하여 코드를 푸시하는 경우 리포지토리가 push 이벤트 발생 시 실행되도록 구성된 워크플로를 포함하고 있더라도 새 워크플로가 실행되지 않습니다.
GITHUB_TOKEN을 사용하는 GitHub Actions 워크플로에서 푸시한 커밋은 GitHub Pages 빌드를 트리거하지 않습니다.
Example 1: passing the GITHUB_TOKEN as an input
이 예제 워크플로는 GH_TOKEN 입력 매개 변수의 값으로 GITHUB_TOKEN이 필요한 GitHub CLI를 사용합니다.
name: Open new issue
on: workflow_dispatch
jobs:
open-issue:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- run: |
gh issue --repo ${{ github.repository }} \
create --title "Issue title" --body "Issue body"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
name: Open new issue
on: workflow_dispatch
jobs:
open-issue:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- run: |
gh issue --repo ${{ github.repository }} \
create --title "Issue title" --body "Issue body"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Example 2: calling the REST API
You can use the GITHUB_TOKEN to make authenticated API calls. This example workflow creates an issue using the GitHub REST API:
name: Create issue on commit
on: [ push ]
jobs:
create_issue:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Create issue using REST API
run: |
curl --request POST \
--url http(s)://HOSTNAME/api/v3/repos/${{ github.repository }}/issues \
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
--header 'content-type: application/json' \
--data '{
"title": "Automated issue for commit: ${{ github.sha }}",
"body": "This issue was automatically created by the GitHub Action workflow **${{ github.workflow }}**. \n\n The commit hash was: _${{ github.sha }}_."
}' \
--fail
Permissions for the GITHUB_TOKEN
For information about the API endpoints GitHub Apps can access with each permission, see GitHub 앱에 필요한 권한.
The following table shows the permissions granted to the GITHUB_TOKEN by default. People with admin permissions to an organization or repository can set the default permissions to be either permissive or restricted. For information on how to set the default permissions for the GITHUB_TOKEN for your enterprise, organization, or repository, see 엔터프라이즈에서 GitHub Actions에 대한 정책 적용, 조직의 GitHub Actions 사용 안 함 또는 제한, or 리포지토리에 대한 GitHub Actions 설정 관리.
| Scope | Default access (permissive) | Default access (restricted) | Maximum access for pull requests from public forked repositories |
|---|---|---|---|
| actions | read/write | none | read |
| checks | read/write | none | read |
| contents | read/write | read | read |
| deployments | read/write | none | read |
| discussions | read/write | none | read |
| issues | read/write | none | read |
| metadata | read | read | read |
| models | read | none | none |
| packages | read/write | read | read |
| pages | read/write | none | read |
| pull-requests | read/write | none | read |
| repository-projects | read/write | none | read |
| security-events | read/write | none | read |
| statuses | read/write | none | read |
참고 항목
- When a workflow is triggered by the
pull_request_targetevent, theGITHUB_TOKENis granted read/write repository permission, even when it is triggered from a public fork. For more information, see 워크플로를 트리거하는 이벤트. - Private repositories can control whether pull requests from forks can run workflows, and can configure the permissions assigned to
GITHUB_TOKEN. For more information, see 리포지토리에 대한 GitHub Actions 설정 관리. - Dependabot 끌어오기 요청에 의해 트리거되는 워크플로 실행은 포크된 리포지토리에서 온 것처럼 실행되므로 읽기 전용
GITHUB_TOKEN을 사용합니다. 이러한 워크플로 실행은 비밀에 액세스할 수 없습니다. 워크플로의 안전한 유지를 위한 전략의 자세한 내용은 Security hardening for GitHub Actions을(를) 참조하세요.
Modifying the permissions for the GITHUB_TOKEN
You can modify the permissions for the GITHUB_TOKEN in individual workflow files. If the default permissions for the GITHUB_TOKEN are restrictive, you may have to elevate the permissions to allow some actions and commands to run successfully. If the default permissions are permissive, you can edit the workflow file to remove some permissions from the GITHUB_TOKEN. As a good security practice, you should grant the GITHUB_TOKEN the least required access.
You can see the permissions that GITHUB_TOKEN had for a specific job in the "Set up job" section of the workflow run log. For more information, see Using workflow run logs.
You can use the permissions key in your workflow file to modify permissions for the GITHUB_TOKEN for an entire workflow or for individual jobs. This allows you to configure the minimum required permissions for a workflow or job.
또한 permissions 키를 사용하여 포크된 리포지토리에 대한 읽기 권한을 추가 및 제거할 수 있지만 일반적으로 쓰기 액세스 권한은 부여할 수 없습니다. 이 동작의 예외는 관리 사용자가 GitHub Actions 설정의 끌어오기 요청에서 워크플로에 쓰기 토큰 보내기 옵션을 선택한 경우입니다. 자세한 내용은 리포지토리에 대한 GitHub Actions 설정 관리을(를) 참조하세요.
The two workflow examples earlier in this article show the permissions key being used at the job level, as it is best practice to limit the permissions' scope.
For full details of the permissions key, see GitHub Actions에 대한 워크플로 구문.
참고 항목
Organization and enterprise owners can prevent you from granting write access to the GITHUB_TOKEN at the repository level. For more information, see 조직의 GitHub Actions 사용 안 함 또는 제한 and 엔터프라이즈에서 GitHub Actions에 대한 정책 적용.
When the permissions key is used, all unspecified permissions are set to no access, with the exception of the metadata scope, which always gets read access.
How the permissions are calculated for a workflow job
The permissions for the GITHUB_TOKEN are initially set to the default setting for the enterprise, organization, or repository. If the default is set to the restricted permissions at any of these levels then this will apply to the relevant repositories. For example, if you choose the restricted default at the organization level then all repositories in that organization will use the restricted permissions as the default. The permissions are then adjusted based on any configuration within the workflow file, first at the workflow level and then at the job level. Finally, if the workflow was triggered by a pull request from a forked repository, and the Send write tokens to workflows from pull requests setting is not selected, the permissions are adjusted to change any write permissions to read only.
Granting additional permissions
If you need a token that requires permissions that aren't available in the GITHUB_TOKEN, you can create a GitHub App and generate an installation access token within your workflow. For more information, see GitHub Actions 워크플로에서 GitHub 앱을 사용하여 인증된 API 요청 만들기. Alternatively, you can create a personal access token, store it as a secret in your repository, and use the token in your workflow with the ${{ secrets.SECRET_NAME }} syntax. For more information, see 개인용 액세스 토큰 관리 and Using secrets in GitHub Actions.