From 41edfecb9e46dc1ec80bc0285eb01082a9919dcb Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Wed, 14 May 2025 14:21:41 -0500
Subject: [PATCH] Fallback to GITHUB_TOKEN if pat is not available

---
 src/commands/fix/open-pr.mts | 19 +++++++++----------
 src/constants.mts            |  5 +++++
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/src/commands/fix/open-pr.mts b/src/commands/fix/open-pr.mts
index 071450c9f..774e879d7 100644
--- a/src/commands/fix/open-pr.mts
+++ b/src/commands/fix/open-pr.mts
@@ -28,8 +28,9 @@ let _octokit: Octokit | undefined
 function getOctokit() {
   if (_octokit === undefined) {
     _octokit = new Octokit({
-      // Lazily access constants.ENV.SOCKET_SECURITY_GITHUB_PAT.
-      auth: constants.ENV.SOCKET_SECURITY_GITHUB_PAT
+      // Lazily access constants.ENV properties.
+      auth:
+        constants.ENV.SOCKET_SECURITY_GITHUB_PAT || constants.ENV.GITHUB_TOKEN
     })
   }
   return _octokit
@@ -40,8 +41,8 @@ export function getOctokitGraphql() {
   if (!_octokitGraphql) {
     _octokitGraphql = OctokitGraphql.defaults({
       headers: {
-        // Lazily access constants.ENV.SOCKET_SECURITY_GITHUB_PAT.
-        authorization: `token ${constants.ENV.SOCKET_SECURITY_GITHUB_PAT}`
+        // Lazily access constants.ENV properties.
+        authorization: `token ${constants.ENV.SOCKET_SECURITY_GITHUB_PAT || constants.ENV.GITHUB_TOKEN}`
       }
     })
   }
@@ -364,12 +365,10 @@ export async function openPr(
   } as OpenPrOptions
   // Lazily access constants.ENV.GITHUB_ACTIONS.
   if (constants.ENV.GITHUB_ACTIONS) {
-    // Lazily access constants.ENV.SOCKET_SECURITY_GITHUB_PAT.
-    const pat = constants.ENV.SOCKET_SECURITY_GITHUB_PAT
-    if (!pat) {
-      throw new Error('Missing SOCKET_SECURITY_GITHUB_PAT environment variable')
-    }
-    const url = `https://x-access-token:${pat}@github.com/${owner}/${repo}`
+    // Lazily access constants.ENV properties.
+    const token =
+      constants.ENV.SOCKET_SECURITY_GITHUB_PAT || constants.ENV.GITHUB_TOKEN
+    const url = `https://x-access-token:${token}@github.com/${owner}/${repo}`
     await spawn('git', ['remote', 'set-url', 'origin', url], {
       cwd
     })
diff --git a/src/constants.mts b/src/constants.mts
index 58f45ec46..e12aa2a80 100644
--- a/src/constants.mts
+++ b/src/constants.mts
@@ -50,6 +50,7 @@ type ENV = Remap<
       GITHUB_REF_NAME: string
       GITHUB_REF_TYPE: string
       GITHUB_REPOSITORY: string
+      GITHUB_TOKEN: string
       INLINED_CYCLONEDX_CDXGEN_VERSION: string
       INLINED_SOCKET_CLI_HOMEPAGE: string
       INLINED_SOCKET_CLI_LEGACY_BUILD: string
@@ -239,6 +240,10 @@ const LAZY_ENV = () => {
     // The owner and repository name. For example, octocat/Hello-World.
     // https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables
     GITHUB_REPOSITORY: envAsString(env['GITHUB_REPOSITORY']),
+    // The GITHUB_TOKEN secret is a GitHub App installation access token. The token's
+    // permissions are limited to the repository that contains the workflow.
+    // https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#about-the-github_token-secret
+    GITHUB_TOKEN: envAsString(env['GITHUB_TOKEN']),
     // Comp-time inlined @cyclonedx/cdxgen package version.
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_CYCLONEDX_CDXGEN_VERSION']".
     INLINED_CYCLONEDX_CDXGEN_VERSION: envAsString(