Github token lifetime?

I’m working on a workflow with a fairly long build and I’m seeing failures in code designed to interact with the PR (adding a comment with a link to the build result) at the end of the build.

I’m running the workflow on Mac and PC and both flows use the same python script set up with the same environment variables in order to upload the build to S3 and then post a comment on the PR.  

The Mac build takes about a half hour and completes fine.  The PC build takes about 1 hour and 15 minutes before it runs the script at which point the script throws an exception:

401 {“message”: “Bad credentials”, “documentation_url”: “”}

If I alter the build so it skips some of the longer duration components (and thus completes in less than an hour) it runs fine.  So I’m guessing that the token created for the workflow only has a lifetime of about an hour?  Github workflows are allowed to run for up to 6 hours though, so it seems like the token lifetime should be at least that long. 

1 Like

Indeed, the token expires after 1 hour. From

“The GITHUB_TOKEN secret is a GitHub App installation access token.”


“The installation access token expires after 60 minutes.”

So it expires at an hour, is there any workaround for this? I too want a long-ish running task to then comment or create an issue, but I’m getting the 401 error. What options do I have?

Only workaround I found is to create personal access token, add it to secrets (say, PAT), and use ${{ secrets.PAT }} instead:

- name: Create Release
        id: create_release
        uses: actions/create-release@v1
          GITHUB_TOKEN: ${{ secrets.PAT }}
          tag_name: ${{ github.ref }}

But this is suboptimal, since it actions would be from your name, not from name of the bot.

1 Like

@mikedombo - That’s a great question. I think it’s worth mentioning that the Authenticating with the GITHUB_TOKEN: About the GITHUB_TOKEN secret article recently updated with this note:

Before each job begins, GitHub fetches an installation access token for the job. The token expires when the job is finished.

Given this documented behavior, you could create a workflow with many jobs, where each job cites the GITHUB_TOKEN in an environment variable. I’m wondering if that would help with what you’re looking to accomplish?