Don't require `GITHUB_TOKEN` when it is not needed

ossf / scorecard-monitor

Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts

https://github.com/marketplace/actions/openssf-scorecard-monitor

Apache License 2.0

32 stars 13 forks source link

Don't require `GITHUB_TOKEN` when it is not needed #47

Closed rajbos closed 1 year ago

rajbos commented 1 year ago

From what I can see, the GITHUB_TOKEN is not needed for discovery (it would only have access to the current repo anyway), so we can remove it from this check. I ran into it during debugging (output tested in a ACTIONS_STEP_SUMMARY) and since it is not needed....

UlisesGascon commented 1 year ago

I think we need it for the discovery mode because in order to use the octokit instance (See) you first need to provide the token (See)

rajbos commented 1 year ago

For the call to get public repos you don't need to be authenticate, so that was my thinking. I now remember that this will work on github.com, but not on Enterprise server (where I eventually want to use this as well for my customers), since even for a public repo on that, you will need to be authenticated.

Even the Octokit toolkit makes the token required, so it is needed.

Good to double check this indeed 😄. Closing this issue.