[security] Is GITHUB_TOKEN different for each Action run?

Hi, I’m having this question because of the Codecov uploader security breach, which has exposed all environment variables (including GITHUB_TOKEN. Since I have no control over this particular environment variable, I wonder if it is generated for each run (so I shouldn’t worry about it being exposed) or if it persist across runs (so I should worry a lot).

If it’s not generated on each run, is there any way to regenerate it?

Thanks!

Yes, see Authentication in a workflow - GitHub Docs

Before each job begins, GitHub fetches an installation access token for the job. The token expires when the job is finished.

1 Like

Hi @ylemkimon,

I read that article but it wasn’t clear to me that the token was rotated because I’m not familiar with the internals of how GitHub Apps works.

Are you sure the documentation there really implies that the token is different for each run/GitHub App installation?

Thanks!

Yes. If in doubt, you can always test it yourself, e.g., echo -n "${{ github.token }}" | sha256sum (note it’d be possible to infer the token from the hash, as the token has a fixed length and characters, so do not test this in a public or real repository). This will give a different hash every time the workflow is run.

Thanks again for the answer. I thought of doing something like that to get some empirical proof, but then only because an experiment showed something doesn’t mean it is guaranteed to change, so I have more peace of mind if there is a guarantee that different tokens will be created for different runs.

In any case, I consider this question answered, so thanks again!