use PAT in docs - GITHUB_TOKEN

[Portal3d]

Select Topic Area

Question

Body

When a Github Actions workflow is started, the docs state that the Github Actions app sets a new short-lived token via the GITHUB_TOKEN at every workflow run. The permissions linked to this token are controlled by repository/organization/enterprise settings, but can be tweaked via the permissions settings since early 2021.

Isn't it ill adviced then to still leverage a (long lived) Personal Access Token if you want more permissions? Are there still cases where this would be needed?

This is what I still find in the docs: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#granting-additional-permissions

[GabrielVitorGL]

• Accessing a private repository other than the one running the workflow. The GITHUB_TOKEN is scoped to the repository, so it can't do that.

• Making events caused by the workflow (e.g. a push to the repository) trigger additional workflows. Activities authorized with the GITHUB_TOKEN never do that to avoid unintentional recursive runs.