adaptive-enforcement-lab/installation-token-generation
plugins/patterns/skills/installation-token-generation/SKILL.md
Generate short-lived installation tokens from GitHub App credentials with actions/create-github-app-token. Organization-scoped and repository-scoped patterns for automated cross-repo workflows.
tools
Updated Mar 27, 2026
$ install --global
skillsauthnpx skillsauth add adaptive-enforcement-lab/claude-skills installation-token-generationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 29, 2026, 10:58 AM36.4s7 files scanned
SKILL.md
- name:
- installation-token-generation
- description:
- >-
Installation Token Generation
When to Use This Skill
Installation tokens authenticate your GitHub App for specific repository operations. They enable:
- Cross-repository automation - Operate across multiple repositories
- Organization-wide workflows - Access all repositories in your organization
- Automated processes - No user interaction required
- Scoped permissions - Limit access to specific repositories
- Short-lived credentials - 1-hour expiration for security
Token Limitations
- 1-hour expiration (automatic refresh available)
- Requires GitHub App installation on target repositories
- Permissions limited to app's configured scope
- Cannot perform user-attributed actions
Implementation
Installation tokens provide automated, secure access to repositories where your GitHub App is installed. Use installation tokens for GitHub Actions workflows, CI/CD automation, and cross-repository operations.
When to Use Installation Tokens
Installation tokens are for automated repository operations. Use JWT for app-level operations and OAuth for user-attributed actions.
Overview
Installation tokens authenticate your GitHub App for specific repository operations. They enable:
- Cross-repository automation - Operate across multiple repositories
- Organization-wide workflows - Access all repositories in your organization
- Automated processes - No user interaction required
- Scoped permissions - Limit access to specific repositories
- Short-lived credentials - 1-hour expiration for security
Token Limitations
- 1-hour expiration (automatic refresh available)
- Requires GitHub App installation on target repositories
- Permissions limited to app's configured scope
- Cannot perform user-attributed actions
Token Scoping Decision
See examples.md for detailed code examples.
Basic Usage
Single Repository Token
Generate a token scoped to the current repository.
See examples.md for detailed code examples.
Output: Token accessible via ${{ steps.app_token.outputs.token }}
Scope: Current repository only (where workflow runs)
Organization-Scoped Tokens
Generate tokens with access to all repositories where the app is installed.
See examples.md for detailed code examples.
Owner Parameter is Critical
- With
owner: Access all repositories in the organization- Without
owner: Access only the current repository- Must match your GitHub organization name exactly
Use cases:
- Discovery workflows (list all repositories)
- Cross-repository automation
- Organization-wide policy enforcement
- Dynamic repository targeting
Repository-Scoped Tokens
Limit token access to specific repositories for enhanced security.
See examples.md for detailed code examples.
Security Best Practice
Use repository-scoped tokens when you know exactly which repositories need access. This follows the principle of least privilege.
Benefits:
- Explicit allow list of repositories
- Reduces blast radius if token is compromised
- Clear audit trail of intended access
- Enforces access boundaries
When NOT to Use Installation Tokens
Don't Use Installation Tokens For
- User-attributed actions - Use OAuth instead
- App-level operations - Use JWT (list installations, get app manifest)
- Public repository read-only access - Use
GITHUB_TOKENif simpler- Personal repository access - Use OAuth for user's private repos
- Operations requiring user identity - Actions appear as "bot" with installation tokens
Next Steps
- Workflow Patterns - Cross-repository automation patterns
- Use Cases - Real-world implementation examples
- Lifecycle and Security - Token management and security best practices
Overview
Installation tokens authenticate your GitHub App for specific repository operations. They enable:
- Cross-repository automation - Operate across multiple repositories
- Organization-wide workflows - Access all repositories in your organization
- Automated processes - No user interaction required
- Scoped permissions - Limit access to specific repositories
- Short-lived credentials - 1-hour expiration for security
Token Limitations
- 1-hour expiration (automatic refresh available)
- Requires GitHub App installation on target repositories
- Permissions limited to app's configured scope
- Cannot perform user-attributed actions
Token Scoping Decision
See examples.md for detailed code examples.
Basic Usage
Single Repository Token
Generate a token scoped to the current repository.
See examples.md for detailed code examples.
Output: Token accessible via ${{ steps.app_token.outputs.token }}
Scope: Current repository only (where workflow runs)
Organization-Scoped Tokens
Generate tokens with access to all repositories where the app is installed.
See examples.md for detailed code examples.
Owner Parameter is Critical
- With
owner: Access all repositories in the organization- Without
owner: Access only the current repository- Must match your GitHub organization name exactly
Use cases:
- Discovery workflows (list all repositories)
- Cross-repository automation
- Organization-wide policy enforcement
- Dynamic repository targeting
Repository-Scoped Tokens
Limit token access to specific repositories for enhanced security.
See examples.md for detailed code examples.
Security Best Practice
Use repository-scoped tokens when you know exactly which repositories need access. This follows the principle of least privilege.
Benefits:
- Explicit allow list of repositories
- Reduces blast radius if token is compromised
- Clear audit trail of intended access
- Enforces access boundaries
When NOT to Use Installation Tokens
Don't Use Installation Tokens For
- User-attributed actions - Use OAuth instead
- App-level operations - Use JWT (list installations, get app manifest)
- Public repository read-only access - Use
GITHUB_TOKENif simpler- Personal repository access - Use OAuth for user's private repos
- Operations requiring user identity - Actions appear as "bot" with installation tokens
Next Steps
- Workflow Patterns - Cross-repository automation patterns
- Use Cases - Real-world implementation examples
- Lifecycle and Security - Token management and security best practices
Examples
See examples.md for code examples.
Full Reference
See reference.md for complete documentation.
References
- Source Documentation
- AEL Patterns
Related Skills
adaptive-enforcement-lab/workload-identity-federation-implementation
documentation
VerifiedTrustedCommunity
Workload Identity Federation implementation guide. GKE setup, IAM bindings, ServiceAccount configuration, migration from service account keys, and troubleshooting patterns.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/workflow-trigger-security
development
VerifiedTrustedCommunity
Secure GitHub Actions trigger patterns for pull requests, forks, and reusable workflows. Preventing privilege escalation and code injection through trigger misconfiguration.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/third-party-action-risk-assessment
development
VerifiedTrustedCommunity
Structured framework for evaluating GitHub Actions security before adoption. Trust tiers, risk assessment checklist, and decision tree for action evaluation.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/storing-credentials
testing
VerifiedTrustedCommunity
Securely store GitHub App credentials across different environments. GitHub Actions secrets, external CI, Kubernetes, and automated rotation patterns.
SKILL.mdUpdated Mar 27, 2026