Skip to content

Update GITHUB_PAT secret in lint workflow#533

Merged
d-morrison merged 1 commit into
mainfrom
d-morrison-patch-5
Jun 3, 2026
Merged

Update GITHUB_PAT secret in lint workflow#533
d-morrison merged 1 commit into
mainfrom
d-morrison-patch-5

Conversation

@d-morrison

@d-morrison d-morrison commented Jun 3, 2026

Copy link
Copy Markdown
Member

This pull request makes a small change to the GitHub Actions workflow configuration. The environment variable GITHUB_PAT is now set to use the GITHUB_PAT secret instead of the default GITHUB_TOKEN secret.

@claude

claude Bot commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Claude finished @d-morrison's task in 46s —— View job

Code Review

  • Gather context and read changed files
  • Analyze the change

One-line change: .github/workflows/lint-changed-files.yaml line 14 — secrets.GITHUB_TOKENsecrets.GITHUB_PAT.

Assessment

The change itself is syntactically correct, but it introduces a reliability concern worth flagging before merging.

Potential issue — workflow silently breaks if the secret is missing

secrets.GITHUB_TOKEN is automatically injected by GitHub Actions on every run. secrets.GITHUB_PAT is a manually created Personal Access Token (PAT) that must be explicitly added to the repository or organization secrets. If GITHUB_PAT is not configured:

  • GitHub Actions will resolve it to an empty string (no error at parse time).
  • The gh::gh() call on line 40 will receive no token, causing a 401/403 from the GitHub API, and the workflow will fail for all PRs.

The existing permissions: read-all should already be sufficient

The workflow already declares permissions: read-all (line 8), which grants GITHUB_TOKEN read access to repository contents, pull requests, and the API endpoints used here. The gh::gh() call only reads PR file lists — no write permissions are needed. Unless there was a documented case where GITHUB_TOKEN was failing for this specific workflow, switching to a PAT adds maintenance overhead (PATs can expire or be revoked) without a clear benefit.

Questions before approving:

  1. Was there a specific failure with secrets.GITHUB_TOKEN that motivated this change? If so, documenting it in the PR description would help future maintainers.
  2. Has secrets.GITHUB_PAT been added to the repository secrets? If not, this will break linting for all PRs immediately after merge.

If a PAT is genuinely needed (e.g., for rate-limiting reasons or org-level access), consider using a fine-grained PAT scoped to only contents: read and pull_requests: read, and document its purpose and expiry in the repo's secrets inventory.

@codecov

codecov Bot commented Jun 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

@d-morrison d-morrison merged commit c702182 into main Jun 3, 2026
17 of 20 checks passed
@d-morrison d-morrison deleted the d-morrison-patch-5 branch June 3, 2026 22:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

no changelog no version increment

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@d-morrison