Clarify that GitHub token is automatically available to all actions

The docs at Workflow syntax for GitHub Actions - GitHub Docs create the impression (and I think this was true in the past, but possibly not) that for an action to access the job-level GitHub token, it has to be specifically passed to it in with, e.g. token: ${{ secrets.GITHUB_TOKEN }}.

The reality is that any action has access to the token anyway, by directly accessing the GitHub context via github.token. An example is to define a default value for the token as done in actions/stale:

inputs:
  repo-token:
    description: 'Token for the repository. Can be passed in using `{{ secrets.GITHUB_TOKEN }}`.'
    required: false
    default: ${{ github.token }}

Knowing about this detail will make it easier for developers to reason about security in combination with the new fine-grained token permissions.

Hi @letmaik,

There does seem to be mention of this already elsewhere in docs, for example authentication-in-a-workflow mentions

The token is also available in the github.token context. For more information, see “Context and expression syntax for GitHub Actions.”

github.token string A token to authenticate on behalf of the GitHub App installed on your repository. This is functionally equivalent to the GITHUB_TOKEN secret. For more information, see “Authenticating with the GITHUB_TOKEN.”

Obviously this is only of help to a developer if they happen to read this whilst researching.