Skip to content

Instantly share code, notes, and snippets.

@dlaehnemann

dlaehnemann/create_and_use_personal_access_token_for_release_please.md

Last active February 17, 2025 13:07
Show Gist options
  • Save dlaehnemann/0ab4f1e96660d81384405a04481dd31b to your computer and use it in GitHub Desktop.
Save dlaehnemann/0ab4f1e96660d81384405a04481dd31b to your computer and use it in GitHub Desktop.
Download ZIP
create and use personal access token for release please github action
Raw
create_and_use_personal_access_token_for_release_please.md

The manual for the release-please GitHub Action describes how to configure your repository so it can open and approve pull requests. It also mentions, that you will need a personal access token with the correct permissions, if you want your regular GitHub Actions CI tests to run on the resulting pull requests. However, it doesn't specify which exact permissions you need to set for your personal access token and how to get the workflow to see the token as a repository secret. So I am documenting this here, because I am sure to forget this quickly (and it took me several attempts to figure this out).

fine-grained personal access token

Follow the GitHub documentation for creating a fine-grained personal access token.

Resource owner

Here, you need to make sure to choose the account that your targeted repositories live under. This is either you personal account, or an organizational account. If you cannot see an organizational account that you are trying to target with your new fine-grained access token, you will have to make sure the organization has them activated via organizational Settings -> Third-party Access -> Personal access tokens.

Expiration

You can renew tokens, but I haven't done this. Not sure if you will have to re-generate a new one and replace the existing one or how this process is organized. But for the release-please use case, you probably want the longest possible expiration time.

Repository access

Grant the new token access to your targeted repositories. This will be either of:

  • All repositories (very permissive, probably only use on tokens you only use in your personal account)
  • Only select repositories (a token for a defined set of repositories will usually be the most reasonable and secure option)

For permissions, set the following to read and write:

  • contents
  • pull-requests

Once the token is generated, make sure to save like you would save a password, as you will need it like a password for the following steps---and every time you set up a repository with that token in that way.

token as a secret

To make the token available in the secrets scope of your workflow definitions, you need to follow the GitHub documentation on creating secrets for a repository. What you specify as the Name, will become the variable you can later use under the secrets scope. Let's say you choose SOME_NEW_TOKEN. In the Secret field, you add the token that you generated and saved like a password. Once you hit Add secret, you can now use the variable ${{ secrets.SOME_NEW_TOKEN }} in the workflows in the respective repository, for example in the token: field for the release-please GitHub Action.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment