Anand Chowdhary
/notes/2025

Short lived tokens for CI

August 26, 2025
154 words
Reply on X
View on GitHub

I’ve been moving more of my CI to GitHub Apps instead of PATs, and this GitHub Actions workflow tool by @qoomon1 that mindset: It mints temporary tokens in workflows with least privilege by default. No more forever secrets, about time!

Highlights: Short lived tokens scoped to an installation. Granular permissions from your App. Works on GitHub hosted and self hosted runners. Great for cross repo and org automation without handing out PATs.

How it works: It uses the GitHub App flow. Create a JWT, exchange it for an installation access token, then the action exposes it to your steps. You add App credentials as secrets and rotate them when needed. Nothing long lived baked into the repo or runners.

Why I’m into it: Fewer long-lived secrets, tighter scopes, quick revoke and audit. TypeScript, ~138 stars, focused scope.

If you’re modernizing CI security, this is an easy drop in (my security brain is happy): https://github.com/qoomon/actions–access-token