NOTE: This runbook is superseded by the GitHub App setup runbook (
source/runbooks/github-app-setup.md.erb). Prefer GitHub App tokens for new automation; follow the migration guidance there.
GitHub Token Details
Token name
TECH_SERVICES_CODEPIPELINE_PRIVATE_REPOS
Storage location
Stored in AWS Secrets Manager (Shared Services account) as
pttp-ci-infrastructure__github_token, created and maintained by the Operations Engineering Team.
Primary purpose
Enable cross-repository access required for integration testing between DHCP and NACS, and support automation that synchronises MoJ source-of-truth data with GitHub team membership.
Environment(s)
Shared Services
Scopes / Permissions
Organisation-level permissions
- Read and write access to organisation members
- Read and write access to organisation secrets
Repository-level permissions
(This token provides only the minimum required capabilities.)
- Read access to repository metadata
- Read and write access to:
- Actions
- Code
- Issues
- Pull Requests
- Able to add and remove members from GitHub teams
- Not permitted to assign teams to repositories (scopes do not allow this)
List of repositories
This list represents the full scope of repositories for which this token provides access to support NACS–DHCP integration and related automation workflows.
- ministryofjustice/network-access-control-server
- ministryofjustice/network-access-control-admin
- ministryofjustice/network-access-control-integration-tests
- ministryofjustice/aws-trusted-advisor-to-github-issues
- ministryofjustice/diso-devops-module-ssm-bastion
Intended use
Consumed by CI pipelines, scheduled jobs, and scripts that require cross-repository access for integration testing or GitHub team membership synchronisation.
Common operations
- Enable automated cross-repository access between DHCP and NACS for integration tests
- Synchronise MoJ directory data or YAML source-of-truth with GitHub team membership
Security considerations
- Treat strictly as a secret; never echo or commit.
- Restrict access to only required systems and individuals.
- Prefer short-lived tokens; rotate long-lived tokens regularly.
- Ensure workloads accessing this token use least-privilege IAM.
Rotation procedure
1. Prepare
- Identify all consumers of
pttp-ci-infrastructure__github_token. - Confirm they reference the secret by name (no inlined values).
- Generate a new token with identical scopes and organisation/repository permissions.
2. Update secret
- Replace the stored value in Secrets Manager / Parameter Store.
- Redeploy or refresh relevant workloads to pull the new token.
- Validate by running the NACS–DHCP integration test.
- Revoke the old token after successful validation.
3. Reference documentation
The renewal and lifecycle process is also documented in the NACS Integration Tests repository README.