This guide provides step-by-step instructions for creating accounts and obtaining API tokens for different Git providers to use with Code Review Guardian.
Code Review Guardian requires a Git provider API token to post review comments to pull requests and merge requests. This token authenticates your requests to the Git provider's API.
Security Note: Never commit tokens to your repository. Always use .env files (which should be in .gitignore) or CI/CD secrets.
- Go to GitHub.com
- If you don't have an account, click Sign up and follow the registration process
- If you have an account, click Sign in and enter your credentials
- Click on your profile picture in the top-right corner
- Select Settings
- In the left sidebar, scroll down and click Developer settings
- Click Personal access tokens → Tokens (classic)
- Click Generate new token → Generate new token (classic)
- Give your token a descriptive name (e.g., "Code Review Guardian")
- Set an expiration date (recommended: 90 days or custom expiration)
- Select the following scopes/permissions:
- ✅ repo (Full control of private repositories)
- This includes: repo:status, repo_deployment, public_repo, repo:invite, security_events
- ✅ pull_requests (Read and write access to pull requests)
- ✅ repo (Full control of private repositories)
- Scroll down and click Generate token
- IMPORTANT: Copy the token immediately. It will look like:
ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- You won't be able to see it again after leaving the page
- If you lose it, you'll need to generate a new one
Add the token to your .env file:
GIT_TOKEN=ghp_your_token_hereTest your token by running:
./code-review-guardian.sh --helpThe script will verify the token is accessible when needed.
GitHub also supports fine-grained personal access tokens with more granular permissions:
- Go to Settings → Developer settings → Personal access tokens → Fine-grained tokens
- Click Generate new token
- Select your repository or organization
- Grant the following permissions:
- Repository permissions:
- Pull requests: Read and write
- Metadata: Read-only (automatic)
- Repository permissions:
- Generate and copy the token
- Add to
.envas shown above
- Go to GitLab.com or your GitLab instance URL
- If you don't have an account, click Register and complete the registration
- If you have an account, click Sign in
- Click on your profile picture in the top-right corner
- Select Preferences (or Edit profile)
- In the left sidebar, click Access Tokens
- Fill in the token details:
- Token name: e.g., "Code Review Guardian"
- Expiration date: Set an expiration (optional but recommended)
- Select scopes:
- ✅ api (Full API access)
- ✅ write_repository (Write repository content)
- Click Create personal access token
- IMPORTANT: Copy the token immediately. It will look like:
glpat-xxxxxxxxxxxxxxxxxxxx- You won't be able to see it again after leaving the page
- Store it securely
Add the token to your .env file:
GIT_TOKEN=glpat-your_token_hereTest your token by running:
./code-review-guardian.sh --help- Go to Bitbucket.org
- If you don't have an account, click Get started and complete registration
- If you have an account, click Log in
Bitbucket uses App Passwords instead of Personal Access Tokens:
- Click on your profile picture in the bottom-left corner
- Click Personal settings
- In the left sidebar, click App passwords (under Access management)
- Click Create app password
- Fill in the details:
- Label: e.g., "Code Review Guardian"
- Permissions:
- ✅ Repositories: Write
- ✅ Pull requests: Write
- Click Create
- IMPORTANT: Copy the password immediately. It will look like a random string
- You won't be able to see it again
- Store it securely
Add the app password to your .env file:
GIT_TOKEN=your_app_password_hereTest your app password by running:
./code-review-guardian.sh --helpIf you're using a self-hosted GitLab or Bitbucket instance:
Follow the same steps as GitLab.com, but use your self-hosted instance URL:
- Replace
gitlab.comwith your instance URL (e.g.,git.example.com)
- Go to your Bitbucket instance
- Click on your profile → Personal settings → App passwords
- Follow the same steps as Bitbucket Cloud
- Note: The token format may vary depending on your Bitbucket version
For CI/CD pipelines, use secrets/variables instead of .env files:
- Go to your repository on GitHub
- Click Settings → Secrets and variables → Actions
- Click New repository secret
- Name:
GIT_TOKEN - Value: Your token
- Click Add secret
In your workflow file:
env:
GIT_TOKEN: ${{ secrets.GIT_TOKEN }}- Go to your project on GitLab
- Click Settings → CI/CD
- Expand Variables
- Click Add variable
- Key:
GIT_TOKEN - Value: Your token
- Check Mask variable (recommended)
- Check Protect variable if needed
- Click Add variable
In your .gitlab-ci.yml:
variables:
GIT_TOKEN: $GIT_TOKEN- Go to your repository on Bitbucket
- Click Repository settings → Pipelines → Repository variables
- Click Add variable
- Name:
GIT_TOKEN - Value: Your app password
- Check Secured (recommended)
- Click Add
In your bitbucket-pipelines.yml:
variables:
GIT_TOKEN: $GIT_TOKEN-
Never commit tokens to version control
- Always use
.envfiles (which should be in.gitignore) - Use CI/CD secrets/variables for automated pipelines
- Always use
-
Use least privilege
- Only grant the minimum permissions needed
- Review token permissions regularly
-
Set expiration dates
- Use short expiration dates for tokens (30-90 days)
- Rotate tokens regularly
-
Use different tokens for different purposes
- Don't reuse the same token across multiple projects
- Create separate tokens for development and production
-
Monitor token usage
- Regularly review active tokens
- Revoke unused or compromised tokens immediately
-
Store tokens securely
- Use password managers for local development
- Use encrypted secrets in CI/CD systems
- Verify the token is correctly copied (no extra spaces)
- Check token hasn't expired
- Verify token has correct permissions/scopes
- Ensure
.envfile is in the project root - Check environment variable name matches configuration
- Verify token has write permissions (not just read)
- Check repository access permissions
- For organizations, ensure your account has necessary permissions
- Verify
.envfile exists in project root - Check variable name in
.envmatchesapi_token_envin config - For CI/CD, verify secret/variable is set correctly
- Git providers have API rate limits
- GitHub: 5,000 requests/hour for authenticated requests
- GitLab: 2,000 requests/hour for authenticated requests
- Bitbucket: Varies by plan
- If you hit limits, wait before retrying or contact provider support