How do I safely use a GitHub token to make changes and push to a repository?

[tusharidc]

🏷️ Discussion Type

Question

💬 Feature/Topic Area

ARC (Actions Runner Controller)

Discussion Details

1. I am working with GitHub repositories and need to make changes using a GitHub token (PAT).
2. I want to know the correct and secure way to authenticate Git operations (clone, pull, push) with a token.
3. What is the recommended setup for local development and CI, and what common mistakes should I avoid (like token scopes, expired tokens, or remote URL issues)?

[Pushkarmehra]

To safely use a GitHub token (PAT) for repository changes, follow these best practices:

1. Create the right token

• Prefer a fine-grained PAT when possible.
• Grant only the minimum required permissions, usually:
  • Repository Contents: Read and Write
  • Metadata: Read
• Restrict access to only the repositories you need.
• Set an expiration date.

2. Use HTTPS with credential manager (best for local)

• Keep your remote URL as normal HTTPS.
• On first authentication:
  • Username: your GitHub username
  • Password: your PAT
• Let Git Credential Manager store credentials securely.

3. Never hardcode the token

• Do not put tokens in remote URLs, scripts, or source files.
• Do not print tokens in logs.
• If a token is exposed, revoke it immediately and create a new one.

4. CI/CD recommendation

• In GitHub Actions, use GITHUB_TOKEN for same-repository workflows.
• Use a PAT only if cross-repository or extra permissions are required.
• Store PAT in encrypted secrets and reference it via environment variables.

5. Common errors and fixes

• 403 Permission denied:
  • Token lacks required permissions.
  • Token is not authorized for that repository or organization.
• Authentication failed:
  • Token expired or revoked.
  • Cached old credentials; clear and re-authenticate.
• Push rejected:
  • Branch protection rules may block direct pushes.

6. Security checklist

• Use least privilege access.
• Use short token expiry.
• Rotate tokens regularly.
• Remove old or unused tokens.

In short: use HTTPS + credential manager locally, encrypted secrets in CI/CD, minimum required permissions, and never embed tokens in URLs or code.

[shnwazdeveloper]

Create a fine-grained PAT with minimum permissions (Contents Read/Write, Metadata Read).
Restrict token to only required repositories and set expiry.
Use HTTPS + Git Credential Manager for local Git.
Never hardcode token in URLs, code, or scripts.
In CI/CD, store PAT in encrypted secrets and use environment variables.
Use GITHUB_TOKEN for same-repo GitHub Actions.
If token is exposed → Revoke and create new token.
Rotate tokens regularly and remove unused tokens.

[shnwazdeveloper]

Create the right token
Use a fine-grained PAT when possible. Grant only minimum permissions such as:

Repository Contents: Read and Write
Metadata: Read
Restrict the token to only required repositories and set an expiration date.

Use HTTPS with Credential Manager (local machine)
Keep the remote URL as HTTPS:

https://github.com/username/repo.git

When prompted:

Username: GitHub username
Password: PAT
Let Git Credential Manager store it securely.

Never hardcode the token
Do not:

Put tokens in remote URLs
Store tokens in scripts or code
Print tokens in logs
Upload tokens to GitHub

If exposed, revoke immediately and generate a new token.

CI/CD usage

Use GITHUB_TOKEN for GitHub Actions in same repository.
Use PAT only for cross-repository or extra permissions.
Store PAT in encrypted secrets and use environment variables.

Common errors

403 Permission denied → Token lacks permissions
Authentication failed → Token expired/revoked
Push rejected → Branch protection rules
Still asking password → Clear cached credentials

Security checklist

Use least privilege
Set short expiry
Rotate tokens regularly
Remove unused tokens
Never embed tokens in code or URLs