Repository access tokens
This page describes how to set up repository credentials for CI jobs that push an Ogoron output branch.
For a basic "push branch" flow, the token needs repository write access.
For an optional MR/PR creation flow, the token needs additional permissions.
General rules
- Use a dedicated bot identity where possible.
- Grant the minimal permissions required for the workflow.
- Store tokens only in the CI secret storage.
- Do not print tokens in logs.
GitLab
Recommended token type
- Project access token, or a bot user token scoped to a single project
Permissions
- Push branch: repository write access (for example,
write_repository) - Optional MR creation: API access (for example,
api)
Where to store in CI
- GitLab CI/CD variables (masked; protected if you only want it on protected branches)
Common variable name in templates:
GITLAB_TOKEN
GitHub
Recommended token type
- Fine-grained personal access token (or a bot user token) limited to the target repository
Permissions
- Push branch:
Contents: Read and write - Optional PR creation:
Pull requests: Read and write
Where to store in CI
- GitHub Actions secrets
Common secret name in templates:
OGORON_GITHUB_TOKEN
Optional: MR/PR creation
MR/PR creation can be implemented as a separate CI step using:
- a platform API call, or
- a dedicated CLI tool (for example,
glab/gh) if your environment provides it.