Automatically use the GitHub-provided token to allow most users to avoid explicit GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} configuration (#564)

Andarist · web-flow · commit 935fe876b005 · 2026-01-29T09:35:17.000+01:00
diff --git a/.changeset/quiet-vans-fail.md b/.changeset/quiet-vans-fail.md
@@ -0,0 +1,5 @@
+---
+"@changesets/action": minor
+---
+
+Automatically use the GitHub-provided token to allow most users to avoid explicit `GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}` configuration.
diff --git a/README.md b/README.md
@@ -54,8 +54,6 @@ jobs:
 
       - name: Create Release Pull Request
         uses: changesets/action@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 #### With Publishing
@@ -95,7 +93,6 @@ jobs:
           # This expects you to have a script called release which does a build for your packages and calls changeset publish
           publish: yarn release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Send a Slack notification if a publish happens
@@ -156,8 +153,6 @@ jobs:
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish
         if: steps.changesets.outputs.hasChangesets == 'false'
@@ -202,8 +197,6 @@ jobs:
         with:
           # this expects you to have a npm script called version that runs some logic and then calls `changeset version`.
           version: yarn version
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 #### With Yarn 2 / Plug'n'Play
diff --git a/action.yml b/action.yml
@@ -4,6 +4,10 @@ runs:
   using: "node24"
   main: "dist/index.js"
 inputs:
+  github-token:
+    description: "The GitHub token to use for authentication. Defaults to the GitHub-provided token."
+    required: false
+    default: ${{ github.token }}
   publish:
     description: "The command to use to build and publish packages"
     required: false
diff --git a/src/index.ts b/src/index.ts
@@ -10,7 +10,9 @@ import { fileExists } from "./utils.ts";
 const getOptionalInput = (name: string) => core.getInput(name) || undefined;
 
 (async () => {
-  let githubToken = process.env.GITHUB_TOKEN;
+  // to maintain compatibility with workflows created before github-token input was introduced
+  // it's important to prefer the explicitly set GITHUB_TOKEN over the default token coming from github.token
+  let githubToken = process.env.GITHUB_TOKEN || core.getInput("github-token");
 
   if (!githubToken) {
     core.setFailed("Please add the GITHUB_TOKEN to the changesets action");
@@ -114,6 +116,7 @@ const getOptionalInput = (name: string) => core.getInput(name) || undefined;
 
       const result = await runPublish({
         script: publishScript,
+        githubToken,
         git,
         octokit,
         createGithubReleases: core.getBooleanInput("createGithubReleases"),
@@ -136,6 +139,7 @@ const getOptionalInput = (name: string) => core.getInput(name) || undefined;
       const octokit = setupOctokit(githubToken);
       const { pullRequestNumber } = await runVersion({
         script: getOptionalInput("version"),
+        githubToken,
         git,
         octokit,
         prTitle: getOptionalInput("title"),
diff --git a/src/run.test.ts b/src/run.test.ts
@@ -82,6 +82,7 @@ describe("version", () => {
 
     await runVersion({
       octokit: setupOctokit("@@GITHUB_TOKEN"),
+      githubToken: "@@GITHUB_TOKEN",
       git: new Git({ cwd }),
       cwd,
     });
@@ -116,6 +117,7 @@ describe("version", () => {
 
     await runVersion({
       octokit: setupOctokit("@@GITHUB_TOKEN"),
+      githubToken: "@@GITHUB_TOKEN",
       git: new Git({ cwd }),
       cwd,
     });
@@ -150,6 +152,7 @@ describe("version", () => {
 
     await runVersion({
       octokit: setupOctokit("@@GITHUB_TOKEN"),
+      githubToken: "@@GITHUB_TOKEN",
       git: new Git({ cwd }),
       cwd,
     });
@@ -204,6 +207,7 @@ fluminis divesque vulnere aquis parce lapsis rabie si visa fulmineis.
 
     await runVersion({
       octokit: setupOctokit("@@GITHUB_TOKEN"),
+      githubToken: "@@GITHUB_TOKEN",
       git: new Git({ cwd }),
       cwd,
       prBodyMaxCharacters: 1000,
@@ -262,6 +266,7 @@ fluminis divesque vulnere aquis parce lapsis rabie si visa fulmineis.
 
     await runVersion({
       octokit: setupOctokit("@@GITHUB_TOKEN"),
+      githubToken: "@@GITHUB_TOKEN",
       git: new Git({ cwd }),
       cwd,
       prBodyMaxCharacters: 500,
diff --git a/src/run.ts b/src/run.ts
@@ -60,6 +60,7 @@ const createRelease = async (
 
 type PublishOptions = {
   script: string;
+  githubToken: string;
   octokit: Octokit;
   createGithubReleases: boolean;
   git: Git;
@@ -79,6 +80,7 @@ type PublishResult =
 
 export async function runPublish({
   script,
+  githubToken,
   git,
   octokit,
   createGithubReleases,
@@ -89,7 +91,7 @@ export async function runPublish({
   let changesetPublishOutput = await getExecOutput(
     publishCommand,
     publishArgs,
-    { cwd }
+    { cwd, env: { ...process.env, GITHUB_TOKEN: githubToken } }
   );
 
   let { packages, tool } = await getPackages(cwd);
@@ -249,6 +251,7 @@ export async function getVersionPrBody({
 
 type VersionOptions = {
   script?: string;
+  githubToken: string;
   git: Git;
   octokit: Octokit;
   cwd?: string;
@@ -265,6 +268,7 @@ type RunVersionResult = {
 
 export async function runVersion({
   script,
+  githubToken,
   git,
   octokit,
   cwd = process.cwd(),
@@ -282,9 +286,11 @@ export async function runVersion({
 
   let versionsByDirectory = await getVersionsByDirectory(cwd);
 
+  const env = { ...process.env, GITHUB_TOKEN: githubToken };
+
   if (script) {
     let [versionCommand, ...versionArgs] = script.split(/\s+/);
-    await exec(versionCommand, versionArgs, { cwd });
+    await exec(versionCommand, versionArgs, { cwd, env });
   } else {
     let changesetsCliPkgJson = requireChangesetsCliPkgJson(cwd);
     let cmd = semverLt(changesetsCliPkgJson.version, "2.0.0")
@@ -300,6 +306,7 @@ export async function runVersion({
       ],
       {
         cwd,
+        env,
       }
     );
   }
@@ -330,7 +337,7 @@ export async function runVersion({
   /**
    * Fetch any existing pull requests that are open against the branch,
    * before we push any changes that may inadvertently close the existing PRs.
-   * 
+   *
    * (`@changesets/ghcommit` has to reset the branch to the same commit as the base,
    * which GitHub will then react to by closing the PRs)
    */
@@ -340,7 +347,13 @@ export async function runVersion({
     head: `${github.context.repo.owner}:${versionBranch}`,
     base: branch,
   });
-  core.info(`Existing pull requests: ${JSON.stringify(existingPullRequests.data, null, 2)}`);
+  core.info(
+    `Existing pull requests: ${JSON.stringify(
+      existingPullRequests.data,
+      null,
+      2
+    )}`
+  );
 
   await git.pushChanges({ branch: versionBranch, message: finalCommitMessage });
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@changesets/action": minor
 +---
++
 +Automatically use the GitHub-provided token to allow most users to avoid explicit `GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}` configuration.