GitHub
GitHub, Inc.CI/CD9 credentials
Classic Personal Access Token
github / classic-personal-access-token
Classic personal access tokens authenticate GitHub API and Git-over-HTTPS requests as the user that created them. GitHub's token format uses the ghp_ prefix for this token type.
Looks like
exampleghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
git remote URLs, scripts, committed .env files, CI configuration
GITHUB_TOKEN, GH_TOKEN, GITHUB_PAT~/.git-credentialsGit credential helper storage for HTTPS remotes
Notes
Scope is selected when the token is created. A classic PAT with broad repo or admin scopes should be treated as account-level access to the user's reachable repositories and organization resources.
Fine-Grained Personal Access Token
github / fine-grained-personal-access-token
Fine-grained personal access tokens authenticate as a user but are constrained to selected repositories and permissions. GitHub exposes them with the github_pat_ prefix.
Looks like
examplegithub_pat_XXXXXXXXXXXXXXXXXXXXXX_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
scripts, local tooling config, package publishing automation
GITHUB_TOKEN, GH_TOKEN, GITHUB_PATCI/CD secret stores and deployment platforms that call GitHub
Notes
Fine-grained PATs reduce blast radius compared with classic PATs, but the token is still bearer material. Treat a leaked token according to the repository and permission set shown in GitHub's token settings.
OAuth Access Token
github / oauth-access-token
OAuth applications receive GitHub access tokens after a user completes an OAuth authorization flow. GitHub's token format uses the gho_ prefix for OAuth access tokens.
Looks like
examplegho_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
OAuth application databases and session stores
application config and local OAuth client caches
callback URLs or debug logs in poorly configured OAuth clients
Notes
The token's permissions are determined by the OAuth app scopes granted by the user. A leaked OAuth token lets an attacker act through that authorized application context until the grant is revoked or expires.
GitHub App User-to-Server Token
github / github-app-user-token
GitHub Apps can authenticate on behalf of a user and receive a user-to-server access token. GitHub's token format uses the ghu_ prefix for this token type.
Looks like
exampleghu_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
GitHub App backend token stores
local app development caches and service configuration
GitHub App OAuth callback or API debug logs
Notes
Access reflects both the GitHub App's permissions and the authorizing user's access. The corresponding refresh token, when present, is a separate long-lived credential and should be rotated independently.
GitHub App Installation Token
github / github-app-installation-token
GitHub Apps exchange a signed app JWT for an installation access token scoped to repositories and permissions granted to that installation. GitHub's token format uses the ghs_ prefix for server-to-server tokens.
Looks like
exampleghs_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
GITHUB_TOKENautomatic token injected into GitHub Actions jobs
GitHub App backend cache for installation tokens
API client debug output and Actions logs when printed
Notes
Installation tokens are short-lived but high-value. In GitHub Actions, the built-in GITHUB_TOKEN is created for each workflow job and expires when the job completes or after GitHub's documented maximum lifetime.
GitHub App Refresh Token
github / github-app-refresh-token
GitHub Apps that use expiring user access tokens receive refresh tokens to mint replacement user tokens. GitHub's token format uses the ghr_ prefix for refresh tokens.
Looks like
exampleghr_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
GitHub App backend storage paired with user access tokens
local development token caches
Notes
A refresh token is persistence material for a GitHub App user grant. Rotate it with the associated user access token after exposure.
GitHub App Private Key
github / github-app-private-key
GitHub Apps use a downloaded private key to sign JSON Web Tokens for app authentication. The private half of the key is the credential that allows minting app JWTs and then installation access tokens.
Looks like
pattern-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----Location
GitHub App .pem files on application servers and developer laptops
CI/CD or cloud secret stores used by GitHub App backends
application repositories that accidentally commit the .pem file
Notes
The private key does not directly access repositories, but it can sign app JWTs that request installation tokens for every installation and permission granted to the GitHub App.
Deploy Key
github / deploy-key
A deploy key is an SSH key attached directly to one repository. GitHub stores the public key; the private key is held by the server or CI job that needs repository access.
Looks like
pattern-----BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY-----Location
~/.ssh/*_deploy_keyper-repository deploy key files used by Git SSH config aliases
CI/CD variables and deployment secret stores
accidentally committed private keys in deployment repos
Notes
A deploy key can be read-only or read/write. Read/write deploy keys can push code to the attached repository without a user account, which makes them supply-chain sensitive even though their scope is a single repo.
GitHub Actions Secret
github / actions-secret
GitHub Actions secrets store arbitrary user-defined secret values for repositories, environments, and organizations. Workflows can expose those values to jobs as inputs or environment variables.
Location
repository, environment, and organization Actions secrets
workflow job environment variables populated from secrets.*
workflow logs when a secret is printed, transformed, or bypasses masking
Notes
Actions secrets have no GitHub-specific textual shape because they are arbitrary values. Identify them by workflow context: secrets.NAME expressions, injected environment variables, or CI logs that reveal the expanded value.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.