Skip to content

GitHub Pages Deployment Token

Service Name: GitHub Pages

Service Description: GitHub Pages is a static site hosting service that takes HTML, CSS, and JavaScript files straight from a repository on GitHub, optionally runs the files through a build process, and publishes a website.

Service Address: https://pages.github.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization level through GitHub's security settings, not directly on the token.

Secret Access Scope: Grants access to deploy content to GitHub Pages sites. These tokens have permissions to push to specific repositories for GitHub Pages deployments.

Secret Revokement URL: https://github.com/settings/tokens

Secret Example: github_pat_11ABCDEF0ghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLM

Suspicious Activity Investigation Instructions:

  • Review GitHub repository deployment history for unauthorized deployments
  • Check GitHub Pages site for unexpected content changes
  • Review repository access logs for unusual activity
  • Examine commit history for unauthorized commits related to the Pages site
  • Monitor for unexpected changes to GitHub Pages configuration

Mitigation Instructions:

  • Immediately revoke the compromised token by navigating to GitHub Settings > Developer Settings > Personal Access Tokens

  • Generate a new deployment token with appropriate scopes

  • Update any CI/CD pipelines or deployment workflows with the new token
  • Enable branch protection rules for the GitHub Pages publishing branch
  • Consider implementing required reviews for changes to the Pages site
  • Set up notifications for deployments to quickly identify unauthorized activity
  • Review and restrict collaborator permissions for the repository