it's all the moving parts that allow for fine grained, time limited tokens though.

there are also interesting things you can do in combination with branch protection rulesets and limiting which tags/workflows can generate tokens with specific permissions