What is the recommended approach to minimize token exposure in GitHub Actions?

Minimizing token exposure comes from using ephemeral, limited-access credentials and keeping secrets out of the code and logs. The recommended approach is to rely on the built-in token, but restrict what it can do by setting limited permissions for the workflow. The GITHUB_TOKEN is created automatically for each job and is scoped to the repository; by configuring permissions to only what the workflow actually needs, you reduce what a compromised step could access. Avoid long-lived credentials in workflows; don’t embed persistent tokens that linger beyond the job, and don’t reuse broad-scoped tokens across tasks. Store sensitive values in GitHub Secrets with restricted access, so only authorized workflows and environments can read them, and let GitHub Secrets stay encrypted at rest and redacted in logs. This combination keeps credentials lean, short-lived, and shielded from leaks, while the other practices—storing secrets in plain text in the repo, using broad-scoped personal access tokens, or exposing tokens in logs—significantly increase risk and should be avoided.