diff --git a/README.md b/README.md
index 8d20147..7ade672 100644
--- a/README.md
+++ b/README.md
@@ -240,7 +240,9 @@ If the author cannot be resolved via either method, or the GitHub API is
unreachable, the check fails with a clear error.
For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
-can authenticate.
+can authenticate. The official GitHub Action wires the workflow's automatic
+token via the `github-token` input, so no manual `env:` is required; override
+with a PAT only for cross-repo lookups.
### Configuration file
diff --git a/action.yml b/action.yml
index 4b9992a..a423b36 100644
--- a/action.yml
+++ b/action.yml
@@ -58,6 +58,11 @@ inputs:
output-file:
description: Write JSONL results to this file path (text still goes to stdout)
required: false
+ github-token:
+ description: GitHub token for Commits API access (signature check). Defaults to
+ the workflow's automatic token; override with a PAT for cross-repo lookups.
+ required: false
+ default: ${{ github.token }}
outputs:
output-file:
description: Path to the JSONL output file (set only when output-file input is provided)
@@ -76,6 +81,7 @@ runs:
- name: Run commit-guard
id: run
env:
+ GITHUB_TOKEN: ${{ inputs.github-token }}
CG_REV: ${{ inputs.rev }}
CG_RANGE: ${{ inputs.range }}
CG_ENABLE: ${{ inputs.enable }}
diff --git a/docs/index.html b/docs/index.html
index f3de3c2..95d053f 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -474,7 +474,10 @@ Signature verification
If the author cannot be resolved via either method, or the GitHub API
is unreachable, the check fails with a clear error. For private
repositories, set GITHUB_TOKEN or GH_TOKEN
- so the Commits API can authenticate. Disable the
+ so the Commits API can authenticate. The official GitHub Action wires
+ the workflow's automatic token via the github-token
+ input, so no manual env: is required; override with a
+ PAT only for cross-repo lookups. Disable the
signature check if GitHub API access is unavailable:
commit-guard --disable signature