GitHub Token Regeneration Configuration GuideΒΆ
Last Updated: 2026-01-26T19:00:00Z
Status: Active - Token Refreshed
Audience: Human Admin (@mbaetiong)
π― OverviewΒΆ
This guide provides comprehensive instructions for updating all repository components after GitHub token regeneration. Follow these steps to ensure proper configuration across workflows, scripts, documentation, and agent systems.
π Token Types & ScopesΒΆ
Personal Access Token (PAT) - ClassicΒΆ
Required Scopes:
- β
repo (Full control of private repositories)
- β
workflow (Update GitHub Action workflows)
- β
write:packages (Upload packages to GitHub Package Registry)
- β
delete:packages (Delete packages from GitHub Package Registry)
- β
admin:org (Full control of orgs and teams)
- β
admin:public_key (Full control of user public keys)
- β
admin:repo_hook (Full control of repository hooks)
- β
admin:org_hook (Full control of organization hooks)
- β
gist (Create gists)
- β
notifications (Access notifications)
- β
user (Update ALL user data)
- β
delete_repo (Delete repositories)
- β
write:discussion (Read and write team discussions)
- β
read:packages (Download packages from GitHub Package Registry)
- β
read:org (Read org and team membership, read org projects)
- β
write:org (Read and write org and team membership, read and write org projects)
- β
admin:gpg_key (Full control of user gpg keys)
- β
codespace (Full control of codespaces)
- β
project (Full control of projects)
- β
security_events (Read and write security events)
Fine-Grained Personal Access Token (Recommended)ΒΆ
Repository Permissions: - β Actions: Read and write - β Contents: Read and write - β Issues: Read and write - β Metadata: Read-only (automatic) - β Pull requests: Read and write - β Secrets: Read and write - β Workflows: Read and write - β Code scanning alerts: Read and write - β Dependabot alerts: Read and write - β Secret scanning alerts: Read and write
Organization Permissions: - β Members: Read-only (for team operations) - β Administration: Read and write (for org-level operations)
π Step 1: Generate New TokenΒΆ
Via GitHub UIΒΆ
- Navigate to: https://github.com/settings/tokens
- Click "Generate new token" β "Generate new token (classic)" OR "Fine-grained tokens"
- Token Name:
_codex_-master-key-2026-01-26 - Expiration: Custom β 1 year (2027-01-26)
- Select all required scopes (see above)
- Click "Generate token"
- β οΈ CRITICAL: Copy token immediately (shown only once)
Via GitHub CLIΒΆ
# Generate fine-grained token (recommended)
gh auth token
# Or create PAT via API (requires existing authentication)
gh api -X POST /user/tokens \
-f note="_codex_ Master Key $(date +%Y-%m-%d)" \
-f scopes="repo,workflow,admin:org,security_events,write:packages"
π§ Step 2: Update Repository SecretsΒΆ
Method 1: GitHub UIΒΆ
- Navigate to: https://github.com/Aries-Serpent/codex/settings/secrets/actions
- Find existing secret:
CODEX_MASTER_KEY - Click "Update" (or create if doesn't exist)
- Paste new token value
- Click "Update secret"
Method 2: GitHub CLI (Recommended)ΒΆ
# Set token as environment variable first
export NEW_TOKEN="ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" <!-- pragma: allowlist secret -->
# Update repository secret
gh secret set CODEX_MASTER_KEY \
--repo Aries-Serpent/_codex_ \
--body "$NEW_TOKEN"
# Verify secret was updated
gh secret list --repo Aries-Serpent/_codex_ | grep CODEX_MASTER_KEY
Method 3: Using GitHub CLI (Recommended)ΒΆ
For full automation without hardcoded paths, use the gh CLI with your repository:
# Verify gh CLI is authenticated
gh auth status
# Update repository secret
gh secret set CODEX_MASTER_KEY \
--repo Aries-Serpent/_codex_ \
--body "$NEW_TOKEN"
# Verify the update succeeded
gh secret list --repo Aries-Serpent/_codex_ | grep CODEX_MASTER_KEY
π Step 3: Update Configuration FilesΒΆ
3.1 Update .codex/flags.jsonΒΆ
# Update token timestamp
jq '.token_last_refreshed = "2026-01-26T19:00:00Z"' .codex/flags.json > .codex/flags.json.tmp
mv .codex/flags.json.tmp .codex/flags.json
# Update token status
jq '.codex_master_key_configured = true' .codex/flags.json > .codex/flags.json.tmp
mv .codex/flags.json.tmp .codex/flags.json
3.2 Update .codex/flags.ymlΒΆ
# Update in .codex/flags.yml
token_last_refreshed: "2026-01-26T19:00:00Z"
codex_master_key_configured: true
token_expiry: "2027-01-26T00:00:00Z"
3.3 Update .codex/autonomous_agent.yamlΒΆ
# Update token configuration
github:
token_secret_name: CODEX_MASTER_KEY
token_last_rotated: "2026-01-26T19:00:00Z"
token_rotation_interval_days: 90
β Step 4: Verify Token ConfigurationΒΆ
4.1 Test GitHub API AccessΒΆ
# Test token has correct permissions
export GITHUB_TOKEN="$NEW_TOKEN"
# Test repository access
gh api /repos/Aries-Serpent/_codex_ | jq '.permissions'
# Test security events access
gh api /repos/Aries-Serpent/_codex_/code-scanning/alerts \
-H "Accept: application/vnd.github+json" | jq '.[] | {number, state, rule_id}'
# Test workflow access
gh api /repos/Aries-Serpent/_codex_/actions/workflows | jq '.workflows[] | {name, state, path}'
# Test secrets access (list only - cannot read values)
gh api /repos/Aries-Serpent/_codex_/actions/secrets | jq '.secrets[] | .name'
4.2 Run Validation ScriptsΒΆ
# Validate token permissions
python scripts/security/validate_token_permissions.py \
--token "$NEW_TOKEN" \
--required-scopes repo,workflow,security_events,admin:org
# Test workflow trigger with new token
gh workflow run phase34-codeql-alert-fetch.yml \
--field max_pages=1 \
--field severity_filter=all
# Check workflow run status
gh run list --workflow=phase34-codeql-alert-fetch.yml --limit 1
4.3 Verify Secret Updates in WorkflowsΒΆ
# Trigger test workflow that uses CODEX_MASTER_KEY
gh workflow run test-token-access.yml
# Monitor workflow execution
gh run watch
# Check for permission errors in logs
gh run view --log | grep -i "permission\|403\|401\|unauthorized"
π Step 5: Update Agent SystemsΒΆ
5.1 Update Autonomous Agent ConfigurationΒΆ
# Update agent config with new token timestamp
python scripts/autonomous_agent.py update-token-config \
--timestamp "2026-01-26T19:00:00Z" \
--expiry "2027-01-26T00:00:00Z"
# Restart agent services (if running)
python scripts/autonomous_agent.py restart --safe-mode
5.2 Update Cognitive Brain SystemΒΆ
# Update cognitive brain token awareness
python scripts/cognitive/update_token_state.py \
--status active \
--last-refreshed "2026-01-26T19:00:00Z"
# Verify cognitive brain can access GitHub API
python scripts/cognitive/test_github_integration.py
5.3 Update Custom Copilot AgentsΒΆ
Update agent configuration files in .github/agents/:
# In .github/agents/codeql-alert-resolution-agent.md
## Token Configuration
**Token Secret**: `CODEX_MASTER_KEY`
**Last Refreshed**: 2026-01-26T19:00:00Z
**Expiry**: 2027-01-26T00:00:00Z
**Status**: β
Active
## Verification
To verify token access:
\`\`\`bash
gh api /repos/Aries-Serpent/_codex_/code-scanning/alerts --paginate | jq 'length'
\`\`\`
π Step 6: Update DocumentationΒΆ
6.1 Update Token Status DocumentsΒΆ
Update the following documentation files:
.codex/QUICK_REFERENCE_TOKEN_STATUS.md- Update "Last Refreshed" timestamp
- Update "Expiry Date"
-
Update "Status" to β Active
-
.codex/HUMAN_ADMIN_REQUIRED_TOKEN_SETUP.md - Add completion timestamp
- Mark token setup as complete
-
Document new token generation date
-
docs/admin/GENESIS_SETUP_GUIDE.md - Update token configuration section
- Add latest token refresh timestamp
6.2 Update Workflow DocumentationΒΆ
Update workflow documentation to reflect token configuration:
# Update workflow README
cat >> .github/workflows/README.md <<EOF
## Token Configuration (Updated: 2026-01-26)
All workflows requiring elevated permissions use the \`CODEX_MASTER_KEY\` secret.
**Last Token Refresh**: 2026-01-26T19:00:00Z
**Token Expiry**: 2027-01-26T00:00:00Z
**Next Rotation**: 2026-04-26 (90 days)
**Workflows Using CODEX_MASTER_KEY**:
- phase34-codeql-alert-fetch.yml
- auth-token-rotation.yml
- phase10-automated-secrets-setup.yml
EOF
π Step 7: Test Integration PointsΒΆ
7.1 Test Workflow ExecutionΒΆ
# Test Phase 34 workflow (primary use case)
gh workflow run phase34-codeql-alert-fetch.yml \
--field max_pages=5 \
--field severity_filter=high
# Wait for completion
sleep 60
# Check results
gh run view --log-failed | head -50
# Verify artifacts created
gh run download --name codeql-alert-inventory
ls -lh codeql-alert-inventory/
7.2 Test Issue CreationΒΆ
# Verify workflow can create issues
gh issue list --label "phase-34" --limit 5
# Test manual issue creation with token
gh issue create \
--title "[Test] Token Verification $(date +%Y-%m-%d)" \
--body "Testing CODEX_MASTER_KEY after regeneration" \
--label "test,token-verification"
7.3 Test Code Scanning OperationsΒΆ
# Fetch CodeQL alerts (requires security_events scope)
python scripts/security/fetch_codeql_alerts.py \
--owner Aries-Serpent \
--repo _codex_ \
--state open \
--max-pages 1 \
--output-dir /tmp/test-alerts \
--verbose
# Verify output
cat /tmp/test-alerts/alert_summary.md
π§ͺ Step 8: Comprehensive ValidationΒΆ
8.1 Run Full Test SuiteΒΆ
# Run token-dependent tests
pytest tests/integration/test_github_token_access.py -v
# Run workflow integration tests
pytest tests/workflows/test_phase34_execution.py -v
# Run security script tests
pytest tests/security/test_codeql_alert_management.py -v
8.2 Verify All PermissionsΒΆ
Create and run a comprehensive validation script:
cat > /tmp/validate_all_permissions.sh <<'EOF'
#!/bin/bash
set -e
echo "π Validating GitHub Token Permissions..."
echo "============================================"
# Test each required permission
echo "β
Testing repo access..."
gh api /repos/Aries-Serpent/_codex_ > /dev/null
echo "β
Testing workflow access..."
gh api /repos/Aries-Serpent/_codex_/actions/workflows > /dev/null
echo "β
Testing security events access..."
gh api /repos/Aries-Serpent/_codex_/code-scanning/alerts > /dev/null
echo "β
Testing issues access..."
gh api /repos/Aries-Serpent/_codex_/issues > /dev/null
echo "β
Testing pull requests access..."
gh api /repos/Aries-Serpent/_codex_/pulls > /dev/null
echo "β
Testing secrets access..."
gh api /repos/Aries-Serpent/_codex_/actions/secrets > /dev/null
echo ""
echo "π All permissions validated successfully!"
echo "Token is properly configured."
EOF
chmod +x /tmp/validate_all_permissions.sh
/tmp/validate_all_permissions.sh
π Step 9: Update Monitoring & LoggingΒΆ
9.1 Log Token Rotation EventΒΆ
# Add to change log
cat >> .codex/change_log.md <<EOF
## 2026-01-26T19:00:00Z - GitHub Token Rotated
**Event**: CODEX_MASTER_KEY token regenerated and updated
**Trigger**: Scheduled rotation / Security update
**New Expiry**: 2027-01-26T00:00:00Z
**Verified By**: @mbaetiong
**Components Updated**:
- β
Repository secret (CODEX_MASTER_KEY)
- β
Configuration files (.codex/flags.json, .codex/flags.yml)
- β
Autonomous agent config
- β
Cognitive brain system
- β
Documentation
- β
Workflow integrations
**Validation**:
- β
GitHub API access confirmed
- β
Workflow execution successful
- β
Code scanning operations functional
- β
Issue creation tested
- β
All permission scopes verified
EOF
9.2 Update Token Expiry MonitoringΒΆ
# Set up token expiry reminder
cat >> .codex/monitoring/token_expiry_check.py <<'EOF'
import datetime
def check_token_expiry():
"""Check if token is approaching expiry."""
expiry = datetime.datetime(2027, 1, 26, 0, 0, 0, tzinfo=datetime.timezone.utc)
now = datetime.datetime.now(datetime.timezone.utc)
days_until_expiry = (expiry - now).days
if days_until_expiry <= 30:
print(f"β οΈ WARNING: Token expires in {days_until_expiry} days!")
print(f" Expiry Date: {expiry.isoformat()}")
print(f" Action Required: Regenerate token before expiry")
return False
else:
print(f"β
Token valid for {days_until_expiry} days")
return True
if __name__ == "__main__":
check_token_expiry()
EOF
# Run check
python .codex/monitoring/token_expiry_check.py
π¨ TroubleshootingΒΆ
Common Issues & SolutionsΒΆ
Issue 1: "Bad credentials" or 401 ErrorsΒΆ
Symptom: API requests return 401 Unauthorized
Cause: Token not properly updated or has expired
Solution:
# Verify token is set correctly
gh auth status
# Re-login with new token
gh auth login --with-token < token.txt
# Test API access
gh api /user | jq '.login'
Issue 2: "Resource not accessible by integration" or 403 ErrorsΒΆ
Symptom: API requests return 403 Forbidden
Cause: Token missing required scopes
Solution:
# Check token scopes
gh api /user --include | grep -i "x-oauth-scopes"
# If scopes missing, regenerate token with all required scopes
# Then update secret again (see Step 2)
Issue 3: Workflow Fails with "Not Found" ErrorΒΆ
Symptom: Workflow runs but cannot access repository resources
Cause: Workflow using old token or wrong secret name
Solution:
# Verify secret exists
gh secret list | grep CODEX_MASTER_KEY
# Check workflow uses correct secret name
grep -n "CODEX_MASTER_KEY" .github/workflows/phase34-codeql-alert-fetch.yml
# Re-run workflow
gh workflow run phase34-codeql-alert-fetch.yml
Issue 4: Token Permissions Inconsistent Between UI and CLIΒΆ
Symptom: Operations work in UI but fail in CLI or workflows
Cause: Different tokens being used
Solution:
# Ensure same token everywhere
export GITHUB_TOKEN="$NEW_TOKEN"
# Update gh CLI authentication
echo "$NEW_TOKEN" | gh auth login --with-token
# Verify
gh auth status
π Token Rotation ScheduleΒΆ
Recommended Rotation FrequencyΒΆ
- Standard: Every 90 iterations (quarterly)
- High Security: Every 30 iterations (monthly)
- Emergency: Immediately if token compromised
Next Rotation DateΒΆ
Current Token: 2026-01-26
Next Scheduled Rotation: 2026-04-26 (90 days)
Expiry Date: 2027-01-26 (1 year)
Rotation ReminderΒΆ
Set calendar reminders: - 30 iterations before expiry: Start planning rotation - 14 iterations before expiry: Execute rotation - 7 iterations before expiry: Emergency rotation window
π Related DocumentationΒΆ
- Token Setup Guide:
.codex/HUMAN_ADMIN_REQUIRED_TOKEN_SETUP.md - Genesis Setup:
docs/admin/GENESIS_SETUP_GUIDE.md - Quick Reference:
.codex/QUICK_REFERENCE_TOKEN_STATUS.md - Security Policy:
.codex/CODEBASE_AGENCY_POLICY.md - Workflow Documentation:
.github/workflows/README.md - Agent Configuration:
.github/agents/README.md
β Completion ChecklistΒΆ
After completing all steps, verify:
- New token generated with all required scopes
- Repository secret
CODEX_MASTER_KEYupdated - Configuration files updated (flags.json, flags.yml, autonomous_agent.yaml)
- GitHub API access verified
- Workflow execution tested successfully
- Code scanning operations functional
- Issue creation tested
- All documentation updated
- Change log entry added
- Token expiry monitoring configured
- Next rotation date scheduled in calendar
- Team notified of token update
Document Version: 1.0.0
Last Updated: 2026-01-26T19:00:00Z
Maintained By: @mbaetiong
Next Review: 2026-04-26 (before next rotation)
End of Token Regeneration Guide β