Security Best Practices

Token Exposure Prevention

# BAD: Token exposed in logs
- name: Debug token
  run: echo "Token: ${{ steps.app_token.outputs.token }}"

# GOOD: Token used securely
- name: Use token
  env:
    GH_TOKEN: ${{ steps.app_token.outputs.token }}
  run: |
    gh api /user

Minimize Token Lifetime

jobs:
  example:
    runs-on: ubuntu-latest
    steps:
      # Generate token as late as possible
      - uses: actions/checkout@v4

      - name: Prepare environment
        run: |
          # Setup steps that don't need token
          npm install

      # Generate token only when needed
      - name: Generate token
        id: app_token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.CORE_APP_ID }}
          private-key: ${{ secrets.CORE_APP_PRIVATE_KEY }}
          owner: your-org

      - name: Use token immediately
        env:
          GH_TOKEN: ${{ steps.app_token.outputs.token }}
        run: |
          gh api /orgs/your-org/repos

Audit Token Usage

- name: Log operation
  run: |
    echo "::notice::Starting org-level operation with Core App"
    echo "Repository: ${{ github.repository }}"
    echo "Workflow: ${{ github.workflow }}"
    echo "Actor: ${{ github.actor }}"