diff --git a/troubleshooting/codeql-builds/compiled-languages-go.md b/troubleshooting/codeql-builds/compiled-languages-go.md index 09c8f71..928880d 100644 --- a/troubleshooting/codeql-builds/compiled-languages-go.md +++ b/troubleshooting/codeql-builds/compiled-languages-go.md @@ -7,7 +7,7 @@ There are two options when it comes to private repositories: - Set-up the Go environment within the Actions workflow (not vendoring then) - Vendor the dependencies -Setting up the Go environment can be done by adding a Actions step to update the [Go settings](https://go.dev/ref/mod#private-modules) pointing them to use a [GitHub Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with the corresponding access to the private repository. +Setting up the Go environment can be done by adding a Actions step to update the [Go settings](https://go.dev/ref/mod#private-modules) pointing them to use an access token (ex: [GitHub Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)) with the corresponding access to the private repository. The example below shows how this can be done using a single step before the CodeQL Initize step - storing the GitHub PAT in an Actions Secret. **Example:** @@ -38,3 +38,14 @@ Alternatively, pass the token into the CodeQL init action to allow it to be used with: external-repository-token: ${{ secrets.GOLANG_GITHUB_TOKEN }} ``` + + +The auto generated GITHUB_TOKEN is strictly scoped to the repository for security reasons. + +To interact with higher level resources(other repositories, use GitHub Apps with shortlived tokens instead of Personal Acces Tokens. The GitHub action for it here https://github.com/actions/create-github-app-token described in the docs here https://github.com/actions/create-github-app-token + + +This is better than a PAT for a few reasons: +- The tokens are short lived. +- The token can be scoped to specific places in the workflow at time of creation. +- It isn’t associated to a user, it is associated to an app.