From b1f5963c8623d5a5a92d2783b30da73c339232e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gissur=20=C3=9E=C3=B3rhallsson?= <gzzzur@gmail.com>
Date: Mon, 31 Jan 2022 21:19:22 +0000
Subject: [PATCH] docs: Expand the GITHUB_TOKEN section (#968)

* docs: Expand the GITHUB_TOKEN section

* docs: Add a note on leaking GITHUB_TOKEN through shell history

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
---
 README.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8c29113..d266464 100644
--- a/README.md
+++ b/README.md
@@ -202,7 +202,17 @@ It will save that information to `~/.actrc`, please refer to [Configuration](#co
   -W, --workflows string                 path to workflow file(s) (default "./.github/workflows/")
 ```
 
-In case you want to pass a value for `${{ github.token }}`, you should pass `GITHUB_TOKEN` as secret: `act -s GITHUB_TOKEN=[insert token or leave blank for secure input]`.
+## `GITHUB_TOKEN`
+
+Github [automatically provides](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret) a `GITHUB_TOKEN` secret when running workflows inside Github.
+
+If your workflow depends on this token, you need to create a [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) and pass it to `act` as a secret:
+
+```bash
+act -s GITHUB_TOKEN=[insert token or leave blank for secure input]
+```
+
+**WARNING**: `GITHUB_TOKEN` will be logged in shell history if not inserted through secure input or (depending on your shell config) the command is prefixed with a whitespace.
 
 # Known Issues