feat: Default repo-token to token

[shrink]

The absence of a default value for repo-token means that this action may start to fail long after it has been implemented by a developer: the developer adds the action to their workflow (without a token because it's optional) and then, at some point in the future, their workflows may randomly start to fail because they've hit the unauthenticated rate-limit.

[tristan-f-r]

LGTM! This seems to be the standard way to do it.

[shrink]

@LeoDog896 Yep, sorry, I should have noted that this is the standard approach.

Just to catch one concern that might come up: although adding .token as the default value does that mean by default this action will now be given the active token, it's actually already possible for any action to access the token. The use of .token as the default value for repo-token is the idiomatic way to pass the token because it's leveraging the standard Action configuration flow, but other approaches are available, like bypassing Action configuration altogether and instead just pulling it from the environment -- i.e: process.env._TOKEN.

Important: An action can access the _TOKEN through the .token context even if the workflow does not explicitly pass the _TOKEN to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the _TOKEN. For more information, see "Permissions for the _TOKEN." ...via Actions / Security guides / Automatic token authentication.

Separate from the above, while reviewing this Pull Request again, I've noticed I missed making a change to the README. At the moment the README says:

repo-token
(Optional) access token used for API requests. Heavy usage of the action can result in workflow run failures caused by rate limiting. provides a more generous allowance for Authenticated API requests.
It will be convenient to use ${{ secrets._TOKEN }}.

I think something like this might be clearer in light of this change:

repo-token
(Optional) access token used for API requests. When no repo-token is provided, the Workflow token will be used by default.

Let me know if that sounds like a more helpful description, and I'll update this Pull Request to include the README change too :)

Thanks!

[per1234]

Thanks for your PR @shrink!

I think something like this might be clearer in light of this change:

I think the best thing is to follow Arduino's established format for documenting default input values, as is already used for the version input.

Here is an example of how the default token value was documented in one of Arduino's other actions:

https://.com/arduino/report-size-deltas#-token

[CLAassistant]

All committers have signed the CLA.

[shrink]

I think the best thing is to follow Arduino's established format for documenting default input values, as is already used for the version input.

Thank you very much, I agree, consistency is best! I've added the established format.

Requested changes have been made. Thanks!

[andreynering]

Closed by mistake? This still seems to be an useful change to me. @shrink @per1234

[shrink]

@andreynering you're right, thank you for catching the mistake. I deleted some unused forks (or so I thought): I missed that this Pull Request was still open. I've asked to restore the repository so the Pull Request is now re-opened.

[matfax]

It could be improved to account for enterprise servers, but this can be done in a future update if need be, since other code sections might be affected by this as well.

[matfax]

Could be replaced with default: ${{ .server_url == 'https://.com' && .token || '' }} as in actions/setup-go.