Short answer: You generally should not inject a GitHub PAT into Firebase App Hosting for deployment. Firebase App Hosting is designed to use the Firebase GitHub app / GitHub integration for continuous deployment, while secrets such as package tokens are handled separately through Firebase secrets or GitHub Actions secrets depending on the workflow.

What to use instead

For Firebase App Hosting, the documented setup is to authorize and install the Firebase GitHub app on your repository, then create an App Hosting backend tied to a repo and live branch.

That flow avoids needing a GitHub PAT for the App Hosting connection itself.

If you meant Hosting workflows

If you are actually using Firebase Hosting + GitHub Actions , the common pattern is to store a Firebase token or service account secret in GitHub Secrets, not a GitHub PAT inside Firebase.

The Firebase CLI can also set up GitHub Actions for Hosting automatically with firebase init hosting:github, which creates a service account secret and workflow files for you.

For private GitHub packages

If your real goal is to let your app install private GitHub packages during build, that is handled by environment secrets such as npm tokens or Secret Manager values, not by putting a GitHub PAT directly into App Hosting.

The guidance here is to store the registry token securely and reference it in .npmrc or your build environment.

Practical recommendation

  1. Use the Firebase GitHub app for App Hosting repo integration.
  1. Use Firebase secrets or GitHub Actions secrets for runtime/build secrets.
  1. Avoid hardcoding any PAT in source, workflow files, or client-side code.

Example setup

If your goal is App Hosting deployment from GitHub, the usual path is:

  • Connect the repo through Firebase App Hosting.
  • Pick the branch for continuous deployment.
  • Put any private package credentials in secret storage, not in the GitHub integration itself.

Clarify the target

Are you trying to:

  • connect a GitHub repo to Firebase App Hosting , or
  • deploy via Firebase Hosting GitHub Actions , or
  • access private GitHub packages during build?