@guy that could be worth a whole topic on its own
GitHub Actions actually generates a token for you on each run and it is scoped to only work in that repo. It might even auto expire. But you never have to view or copy the token
so it is super secure
Note that is the flow in the generic template I shared.
There is no manual generation and no choice for expiration so I recommend this one.
Another option is to generate a token manually for your user (yes for all your repos and you can’t scope it one repo). And then add that to secrets for a repo. I avoid this option if possible because it is less secure. But some Actions only work with this approach, so just check the docs of an action to see what it supports.
And yes if you generate a token manually you have the optionally to expire it or set no expiry time. If you are using the token for GH Actions, then you only view and copy the token once and never have to look at it again and also GH will mask it from the logs even if the value is printed (it shows as
so it is safe enough to not expire for most cases. or you expire it and have to remember to regenerate and update it every 90 days or whatever manually.
It is more worth expiring a token if you are not using GH Actions and you leave the security of GitHub behind. For example, I download GH API data using a manually generated token that i put in a config file on my machine or I put it on a server like on Amazon or Netlify. Then I run Python or Ruby to get data from the API and use it for a report or whatever. There is more a of a risk of the token being viewed by someone with access to the system or for the token to be printed in the logs and someone steals it, because it is outside of GH. (Well Netlify will mask the token fortunately)
So basically if you do need to generate a token manually but you add it to GH secrets and then want to never touch it for a few years but know it is secure, I’d say no expiration is fine. I mean the expiration only came out as a feature in the last few months and didn’t exist for years before that, so it’s not like it’s essential for everyone otherwise no one would use those tokens in the past.