Using GITHUB_TOKEN in HTTP call to API

Is it possible to use the provided GITHUB_TOKEN to perform HTTP call to the GitHub API?

Is it time limited?

I would like to use it to be able to register an external webhook that would later be able to call back GitHub with repository_dispatch event.

I successfully used GITHUB_TOKEN to authorize an arbitrary API call to github api. Here you can find default permissions of GITHUB_TOKEN

How? cURL example?

Here is an example of using the GitHub token in an API call.

(note: that specific example is using a GitHub Personal Access token, since it needs to do cross-repository stuff, but an identical example would apply for a same repo when using the GitHub Actions’ GITHUB_TOKEN)

There are also examples there of issuing raw git calls using the token if it helps.

I think there is a misunderstanding. I know how to call API using a personal token, I want to know whether something similar can be done using the GITHUB_TOKEN provided as secret for any GitHub action, which doesn’t work as-is.

Within the specified permissions for the GITHUB_TOKEN it can be used in exactly the same way as a PAT in HTTP calls to the GitHub API.

Doesn’t seem so. When trying to POST to []( with GITHUB\_TOKEN in basic auth, it’s forbidden.

Pass it as a header “Authorization: Bearer <token>”.

curl \
-H"Accept: application/vnd.github.v3+json" \
-H"authorization: Bearer <your token goes here>" \
"<owner>/<repo>/issues" \
-d '{"title":"title"}'

This token is of the form v1. **************************************** … does it expire ?

@cchantep wrote:

Doesn’t seem so. When trying to POST to []( with GITHUB\_TOKEN in basic auth, it’s forbidden.

The repository dispatch endpoint  is outside of the access scope of the default GITHUB_TOKEN that comes with your action. So it’s correct that this doesn’t work.

You’d either have to use a PAT that has access to that endpoint or reconfigure your workflow a little and use conditional jobs in a single workflow instead of manually triggering another.

1 Like

A conditional job is not a solution, when you want an external app (e.g. JIRA) to trigger the action using such event.

User Bearer authentication instead of Basic authentication.

Or you can also use octokit to do all the heavylifting for you.

It worked for me!