Chain-deploy in Drone without using my own DRONE_TOKEN

I need to call a drone deployment from a drone build, but I don’t want to use my DEPLOY_TOKEN as a secret. What are my options?

there is no way to chain builds together that doesn’t involve the API, which requires an API token.

Can I use some kind of service token or service account instead of my own token?

You would have to create a service account in your version control system (e.g. GitHub) and then use the service account’s drone token.

Does GitHub provide a way to officially do that? Or do people just create a regular account?
If I were to use drone with private organization, it would cost additional money to just add a user there…

There is some documentation regarding machine users, however, I am not aware of any automation capabilities.

From a security perspective it would be a nice improvement to have single-repo and single-operation tokens.

Particularly for POST /api/repos/{namespace}/{name}/builds I see this being very useful.
It prevents any leaked keys from being abused for evil things like, changing the “Disable Pull Requests” / “Disable Forks” settings, or changing Project visibility.

They’re similar to why you would use a Deploy Key on GitHub vs a user’s personal access token if what you need is read/write access to a repository.