Hi @ylemkimon,

I read that article but it wasn’t clear to me that the token was rotated because I’m not familiar with the internals of how GitHub Apps works.

Are you sure the documentation there really implies that the token is different for each run/GitHub App installation?

Thanks!

Yes. If in doubt, you can always test it yourself, e.g., echo -n "${{ github.token }}" | sha256sum (note it’d be possible to infer the token from the hash, as the token has a fixed length and characters, so do not test this in a public or real repository). This will give a different hash every time the workflow is run.

Thanks again for the answer. I thought of doing something like that to get some empirical proof, but then only because an experiment showed something doesn’t mean it is guaranteed to change, so I have more peace of mind if there is a guarantee that different tokens will be created for different runs.

In any case, I consider this question answered, so thanks again!