Token for GitHub Action

martin-carlsson
PRO

3 months ago

I'm trying to set up a GitHub Action that can create a preview environment on a PR and change a secret (my database URL).

I'm trying to figure out how to create a token.

These two articles seem to contradict each other when it comes to tokens:
https://docs.railway.com/dynamic/tutorials/github-actions-pr-environment
https://blog.railway.com/p/github-actions

What token should I use in the GitHub Action?

10 Replies

david
EMPLOYEE

3 months ago

It sounds like the solution is to use a Railway API token scoped to the user account, not a project token, for the GitHub Action.

This token should be set in the RAILWAY_API_TOKEN environment variable in the GitHub Action workflow.

Status changed to Awaiting User Response Railway 3 months ago

martin-carlsson
PRO

3 months ago

Where do I create a "Railway API token scoped to the user account".

In the page https://railway.com/account/tokens it looks like I can only create an API tokes scoped to a Project.

martin-carlsson
PRO

3 months ago

Also, what is the difference between a workspace and a project.

brody
EMPLOYEE

3 months ago

> what is the difference between a workspace and a project.

A workspace encompasses multiple projects -

https://docs.railway.com/overview/the-basics

> Where do I create a "Railway API token scoped to the user account".

The link you provided is where you'd go -

https://railway.com/account/tokens

martin-carlsson
PRO

3 months ago

Hmm, If I use the Project Token from https://railway.com/project/<id>settings/tokens?environmentId=<id> then the below Github Action will start a deployment, but if I use the token from https://railway.com/account/tokens I get the error: Project Token not found

name: Deploy to Railway

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    container: ghcr.io/railwayapp/cli:latest
    env:
      SVC_ID: ****
      RAILWAY_TOKEN: ${{ secrets.RAILWAY_TOKEN }}
    steps:
      - uses: actions/checkout@v3
      - run: railway up --service=${{ env.SVC_ID }}

But I don't think this is the correct approach since Project Tokens are scoped to a specific Environment. And what I'm trying to do it to set up CICD and create a new preview environment.

martin-carlsson
PRO

3 months ago

I made some more tests, but couldn't get it to work.
I used the token from here: https://railway.com/account/tokens
This is my GitHub Action

name: Railway

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    container: ghcr.io/railwayapp/cli:latest
    env:
      RAILWAY_API_TOKEN: ${{ secrets.RAILWAY_API_TOKEN }}

    steps:
      - uses: actions/checkout@v3
      - run: railway link --project ***
      - run: railway up --service ***

And this is the result:

Run railway link --project ***
  railway link --project ***
  shell: sh -e {0}
  env:
    RAILWAY_API_TOKEN: ***
Unauthorized. Please login with `railway login`
Error: Process completed with exit code 1.

brody
EMPLOYEE

3 months ago

You need to use an account scoped token, please see our docs on creating a PR environment from within a GitHub action -

https://docs.railway.com/tutorials/github-actions-pr-environment

martin-carlsson
PRO

3 months ago

I used the token from here: https://railway.com/account/tokens
Is that wrong?

martin-carlsson
PRO

3 months ago

I asked chatgpt to summarize everything I've tried:

Summary of the CI issue with RAILWAY_API_TOKEN

Context

  • GitHub Action runs in the ghcr.io/railwayapp/cli:latest container (v4.4.x).

  • A team/workspace-scoped token (36-character string) is stored as the secret RAILWAY_API_TOKEN and exposed to the job with an env: block.

  • Goal: run railway link --project … --environment … followed by railway up --service … on every push to main.

What we tried & what happened

  1. Plain railway up with only RAILWAY_API_TOKEN
    Error:No linked project found. Run railway link…”

  2. Added railway login --browserless before link
    Error:Cannot login in non-interactive mode” (as expected).

  3. railway link with project ID as a positional arg
    Error:unexpected argument …”.

  4. railway link --project <id> (correct flag syntax)
    Error:Unauthorized. Please login with railway login”.

  5. Verified secret wiring

    • printenv confirms the variable name exists in the runner.

    • ${#RAILWAY_API_TOKEN} outputs 36, proving the value is present and non-empty.

  6. railway whoami as a sanity check
    Same 401 “Unauthorized” response.

  7. Pinned CLI to v4.3.3 and ran on fresh runners → identical 401.

Observations

  • The token reaches the CLI but every API call that needs project context (whoami, link, up) returns 401.

  • The 36-char length matches a team token. Docs say team tokens cannot create or link projects but should permit up; in practice they are rejected for both.

  • Using a personal account token is not ideal because the workflow later requires workspace-level operations.

Minimal failing workflow (IDs removed)

name: Railway-link-test
on: [push]

jobs:
  deploy:
    runs-on: ubuntu-latest
    container: ghcr.io/railwayapp/cli:latest
    env:
      RAILWAY_API_TOKEN: ${{ secrets.RAILWAY_API_TOKEN }}
    steps:
      - uses: actions/checkout@v3
      - run: railway link --project <project-id> --environment <env>
      - run: railway up --service <service-id>

Both commands fail with “Unauthorized. Please login with railway login.”

martin-carlsson
PRO

3 months ago

For me it seems like RAILWAY_API_TOKEN isn't being picked up by the CLI.
I was able to deploy with RAILWAY_TOKEN.