GITHUB_TOKEN provided by GitHub Actions does not work because it lacks permissions to read repository lists across your account.
Why You Need a PAT
The defaultGITHUB_TOKEN has the following limitations:
- Limited to the current repository only
- Cannot list all repositories in your account
- Restricted permissions scope
- Query all repositories in your account
- Read star counts and metadata
- Access both public and private repositories (based on scope)
Creating a Classic Token
Classic tokens are the recommended option for GitHub Star Tracker due to their straightforward setup.Navigate to Token Settings
Configure Token
- Note: Enter a descriptive name like
GitHub Star Tracker - Expiration: Choose your preferred expiration period (90 days, 1 year, or no expiration)
- Scopes: Select the appropriate scope:
repo- Full control of private repositories (required if tracking private repos)public_repo- Access public repositories only (sufficient if tracking only public repos)
Creating a Fine-Grained Token
Fine-grained tokens offer more granular permissions but require additional configuration.Navigate to Token Settings
Configure Basic Settings
- Token name: Enter a descriptive name like
GitHub Star Tracker - Expiration: Choose your preferred expiration period
- Resource owner: Select your personal account or organization
- Repository access: Choose:
- All repositories - Track all repos in your account
- Only select repositories - Track specific repos only
Set Permissions
Under Permissions > Repository permissions, set:
- Metadata: Read-only (automatically selected)
- Contents: Read-only (for reading repository data)
Adding Token to Repository
Once you have your token, add it as a repository secret:Navigate to Repository Settings
Go to your repository on GitHub > Settings > Secrets and variables > Actions
Configure Secret
- Name:
GITHUB_STAR_TRACKER_TOKEN(or your preferred name) - Value: Paste your Personal Access Token
Using the Token in Workflows
Reference your token in the workflow file using secrets:The secret name in your workflow must match the name you created in repository settings.
Token Scope Comparison
| Feature | public_repo | repo (Full) |
|---|---|---|
| Public repositories | ✓ | ✓ |
| Private repositories | ✗ | ✓ |
| Organization repos | Limited | ✓ |
| Archived repos | ✓ | ✓ |
| Forked repos | ✓ | ✓ |
Security Best Practices
Use Minimal Permissions
Use Minimal Permissions
Choose
public_repo scope if you only track public repositories. Only use repo when tracking private repositories.Set Expiration Dates
Set Expiration Dates
Use token expiration to reduce security risks. Set calendar reminders to regenerate tokens before they expire.
Rotate Tokens Regularly
Rotate Tokens Regularly
Even with no expiration, rotate tokens periodically (e.g., every 6 months) as a security best practice.
Monitor Token Usage
Monitor Token Usage
Check your token’s usage in GitHub Settings to ensure it’s only being used by expected workflows.
Use Repository Secrets
Use Repository Secrets
Always store tokens in repository secrets, never in workflow files or code.
Troubleshooting
”Bad credentials” Error
- Verify the token is correctly copied without extra spaces
- Ensure the token hasn’t expired
- Check that the token has the required scopes
”Not Found” or “Resource not accessible”
- Verify the token has
repoorpublic_reposcope - For fine-grained tokens, ensure repository access is configured correctly
- Check that the resource owner matches your account
Token Expired
- Generate a new token following the steps above
- Update the repository secret with the new token value
- No workflow changes are needed