diff --git a/models/bots/task.go b/models/bots/task.go
index 7066f4a0e4..ae3be6da0e 100644
--- a/models/bots/task.go
+++ b/models/bots/task.go
@@ -12,13 +12,17 @@ import (
 	"fmt"
 	"io"
 
+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/bots"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/util"
 	runnerv1 "gitea.com/gitea/proto-go/runner/v1"
 	"xorm.io/builder"
 
+	gouuid "github.com/google/uuid"
 	"github.com/nektos/act/pkg/jobparser"
 )
 
@@ -35,6 +39,11 @@ type Task struct {
 	Started  timeutil.TimeStamp
 	Stopped  timeutil.TimeStamp
 
+	Token          string `xorm:"-"`
+	TokenHash      string `xorm:"UNIQUE"` // sha256 of token
+	TokenSalt      string
+	TokenLastEight string `xorm:"token_last_eight"`
+
 	LogFilename  string      // file name of log
 	LogInStorage bool        // read log from database or from storage
 	LogLength    int64       // lines count
@@ -139,6 +148,18 @@ func (task *Task) FullSteps() []*TaskStep {
 	return steps
 }
 
+func (task *Task) GenerateToken() error {
+	salt, err := util.CryptoRandomString(10)
+	if err != nil {
+		return err
+	}
+	task.TokenSalt = salt
+	task.Token = base.EncodeSha1(gouuid.New().String())
+	task.TokenHash = auth_model.HashToken(task.Token, task.TokenSalt)
+	task.TokenLastEight = task.Token[len(task.Token)-8:]
+	return nil
+}
+
 type LogIndexes []int64
 
 func (i *LogIndexes) FromDB(b []byte) error {
@@ -240,14 +261,17 @@ func CreateTaskForRunner(ctx context.Context, runner *Runner) (*Task, bool, erro
 		Started:  now,
 		Status:   StatusRunning,
 	}
+	if err := task.GenerateToken(); err != nil {
+		return nil, false, err
+	}
 
-	var wolkflowJob *jobparser.Job
+	var workflowJob *jobparser.Job
 	if gots, err := jobparser.Parse(job.WorkflowPayload); err != nil {
 		return nil, false, fmt.Errorf("parse workflow of job %d: %w", job.ID, err)
 	} else if len(gots) != 1 {
 		return nil, false, fmt.Errorf("workflow of job %d: not signle workflow", job.ID)
 	} else {
-		_, wolkflowJob = gots[0].Job()
+		_, workflowJob = gots[0].Job()
 	}
 
 	if _, err := e.Insert(task); err != nil {
@@ -259,8 +283,8 @@ func CreateTaskForRunner(ctx context.Context, runner *Runner) (*Task, bool, erro
 		return nil, false, err
 	}
 
-	steps := make([]*TaskStep, len(wolkflowJob.Steps))
-	for i, v := range wolkflowJob.Steps {
+	steps := make([]*TaskStep, len(workflowJob.Steps))
+	for i, v := range workflowJob.Steps {
 		steps[i] = &TaskStep{
 			Name:   v.String(),
 			TaskID: task.ID,
diff --git a/routers/api/bots/runner/runner.go b/routers/api/bots/runner/runner.go
index 54298e98a9..6e2e8fae7d 100644
--- a/routers/api/bots/runner/runner.go
+++ b/routers/api/bots/runner/runner.go
@@ -294,16 +294,23 @@ func pickTask(ctx context.Context, runner *bots_model.Runner) (*runnerv1.Task, b
 		"ref_type":         "",
 		"head_ref":         "",
 		"base_ref":         "",
-		"token":            "",
+		"token":            t.Token,
 		"repository_owner": fmt.Sprint(t.Job.Run.Repo.OwnerName),
 		"retention_days":   "",
 	})
+	secrets := getSecretsOfTask(ctx, t)
+	if _, ok := secrets["GITHUB_TOKEN"]; !ok {
+		secrets["GITHUB_TOKEN"] = t.Token
+	}
+	if _, ok := secrets["GITEA_TOKEN"]; !ok {
+		secrets["GITEA_TOKEN"] = t.Token
+	}
 
 	task := &runnerv1.Task{
 		Id:              t.ID,
 		WorkflowPayload: t.Job.WorkflowPayload,
 		Context:         taskContext,
-		Secrets:         getSecretsOfTask(ctx, t),
+		Secrets:         secrets,
 	}
 	return task, true, nil
 }