From cac9c1648b4b3880ae3acbf10fe2c21bdf6fbdb8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nerijus=20Bend=C5=BEi=C5=ABnas?=
 <nerijus.bendziunas@gmail.com>
Date: Thu, 7 May 2026 17:00:04 +0300
Subject: [PATCH] feat(action): wire github.token into GITHUB_TOKEN
 automatically
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a `github-token` input defaulting to `${{ github.token }}` and threads
it into the run step's env, so action users no longer need the manual
`env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}` snippet that PR #95's
404-hint pointed them at. Override with a PAT for cross-repo lookups.

Signed-off-by: Nerijus Bendžiūnas <nerijus.bendziunas@gmail.com>
---
 README.md       | 4 +++-
 action.yml      | 6 ++++++
 docs/index.html | 5 ++++-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8d20147..7ade672 100644
--- a/README.md
+++ b/README.md
@@ -240,7 +240,9 @@ If the author cannot be resolved via either method, or the GitHub API is
 unreachable, the check fails with a clear error.
 
 For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
-can authenticate.
+can authenticate. The official GitHub Action wires the workflow's automatic
+token via the `github-token` input, so no manual `env:` is required; override
+with a PAT only for cross-repo lookups.
 
 ### Configuration file
 
diff --git a/action.yml b/action.yml
index 4b9992a..a423b36 100644
--- a/action.yml
+++ b/action.yml
@@ -58,6 +58,11 @@ inputs:
   output-file:
     description: Write JSONL results to this file path (text still goes to stdout)
     required: false
+  github-token:
+    description: GitHub token for Commits API access (signature check). Defaults to
+      the workflow's automatic token; override with a PAT for cross-repo lookups.
+    required: false
+    default: ${{ github.token }}
 outputs:
   output-file:
     description: Path to the JSONL output file (set only when output-file input is provided)
@@ -76,6 +81,7 @@ runs:
     - name: Run commit-guard
       id: run
       env:
+        GITHUB_TOKEN: ${{ inputs.github-token }}
         CG_REV: ${{ inputs.rev }}
         CG_RANGE: ${{ inputs.range }}
         CG_ENABLE: ${{ inputs.enable }}
diff --git a/docs/index.html b/docs/index.html
index f3de3c2..95d053f 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -474,7 +474,10 @@ <h3>Signature verification</h3>
           If the author cannot be resolved via either method, or the GitHub API
           is unreachable, the check fails with a clear error. For private
           repositories, set <code>GITHUB_TOKEN</code> or <code>GH_TOKEN</code>
-          so the Commits API can authenticate. Disable the
+          so the Commits API can authenticate. The official GitHub Action wires
+          the workflow's automatic token via the <code>github-token</code>
+          input, so no manual <code>env:</code> is required; override with a
+          PAT only for cross-repo lookups. Disable the
           <code>signature</code> check if GitHub API access is unavailable:
         </p>
         <pre><code class="language-bash">commit-guard --disable signature</code></pre>