Pretty much what Luke said. I definitely see us adding an easy way to support robot account tokens, etc. But for today the best practice is to create a CI/CD-specific access token, perhaps with a separate GitHub account. (So that you can set access controls differently for that robot account than yourself.)
We’ve also considered being able to limit the scope of resources a personal access token has access to as well… There are a lot of good features to enable in this area, it’s just a matter of adding them 🙂