Cannot override GITHUB_TOKEN for Crowdin GitHub Action when using custom tokens

[lol3909]

Describe the bug
The Crowdin GitHub Action's documentation suggests setting up the token like this:

env:
  # A classic GitHub Personal Access Token with the 'repo' scope selected (the user should have write access to the repository).
  GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

However, all env variables starting with GITHUB_ cannot be overwritten by user-provided values. This results in the action not accepting tokens from a GitHub App (or PAT) when attempting to pass it as GH_TOKEN, and the action defaults to the system-provided GITHUB_TOKEN instead.

To Reproduce
Steps to reproduce the behavior:

1. Set up a workflow to use the Crowdin GitHub Action that creates a pull request.
2. Configure the token as suggested in the documentation:

env:
  GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

3. Replace secrets.GH_TOKEN with a token generated by a GitHub App (or a personal token).
4. Make sure to not have permissions set in the workflow (the permissions should already configured with the provided token)
5. crowdin.yml file content

"base_path": "."
"base_url": "https://api.crowdin.com"
"preserve_hierarchy": true
files: [
  {
    "source": "src/locales/en.po",
    "translation": "src/locales/%two_letters_code%.po",
  }
]

6. Here's a sample workflow to test the bug (make sure the GitHub app has write access for pull requests and content on the repository)

name: Crowdin Action

on:
  push:
    branches: [ main ]

permissions:
  contents: read

jobs:
  crowdin:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
    
    - uses: actions/create-github-app-token@v1
       id: generate-token
       with:
         app-id: ${{ secrets.APP_ID }}
         private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: Synchronize with Crowdin
        uses: crowdin/github-action@v2
        with:
          upload_sources: true
          upload_translations: true
          download_translations: true
          localization_branch_name: l10n_crowdin_translations
          create_pull_request: true
          pull_request_title: 'New Crowdin translations'
          pull_request_body: 'New Crowdin pull request with translations'
          pull_request_base_branch_name: 'main'
        env:
          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}

Expected behavior
I expected the GitHub Action to allow using a custom token (e.g., one generated by a GitHub App) by binding it to GITHUB_TOKEN as documented.

Additional context
This issue arises because GitHub automatically sets certain environment variables, including GITHUB_TOKEN, and does not allow users to overwrite them. As a workaround, the documentation should suggest using a non-reserved variable name (e.g., GH_TOKEN).

Source: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables

[andrii-bodnar]

Hi @lol3909, thanks for the request!

The actions/create-github-app-token approach is new to me, it looks interesting. If this App token wouldn't require any changes in the API calls, I think it would be easy to adapt this action to handle different name for the token env variable while maintaining backward compatibility.

I've pushed some PoC to the app_token branch.

Could you please check if this works in your case? You can reference this branch as follows:

uses: crowdin/github-action@app_token

Use the GITHUB_APP_TOKEN env variable to pass the ${{ steps.generate-token.outputs.token }} value.

[lol3909]

Hey, I get AUTH_TOKEN: not found. Is there a new env variable that I need to set?

[andrii-bodnar]

@lol3909 thanks for the feedback. No, you don't need a new env variable.

Just pass the GITHUB_APP_TOKEN: ${{ steps.generate-token.outputs.token }} to the Action's env variables.

I just pushed the fix, could you please try again?