ci: temporary GH_TOKEN scope verification (revert before merge)

robert-j-y · robert-j-y · commit 7f191d39f91c · 2026-06-12T15:54:34.000-07:00
diff --git a/.github/workflows/tmp-gh-token-scope-check.yaml b/.github/workflows/tmp-gh-token-scope-check.yaml
@@ -0,0 +1,30 @@
+name: "TEMP: verify GH_TOKEN scope (will be removed before merge)"
+permissions: {}
+"on":
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check GH_TOKEN push access to this repo
+        env:
+          T: ${{ secrets.GH_TOKEN }}
+        run: |
+          set -euo pipefail
+          if [ -z "$T" ]; then
+            echo "RESULT: GH_TOKEN secret is empty or not available"
+            exit 1
+          fi
+          # Print only booleans/derived facts, never the token or account details.
+          RESP=$(curl -s -H "Authorization: token $T" https://api.github.com/repos/${{ github.repository }})
+          echo "RESULT: can_push=$(echo "$RESP" | jq -r '.permissions.push // false')"
+          echo "RESULT: can_admin=$(echo "$RESP" | jq -r '.permissions.admin // false')"
+          SCOPES=$(curl -sI -H "Authorization: token $T" https://api.github.com/user | grep -i '^x-oauth-scopes:' | cut -d: -f2- | tr -d ' \r')
+          if echo ",$SCOPES," | grep -q ',repo,'; then
+            echo "RESULT: has_repo_scope=true"
+          else
+            echo "RESULT: has_repo_scope=false (classic scopes: present-but-redacted-count=$(echo "$SCOPES" | awk -F, '{print NF}'))"
+          fi
