Using GitHub with GITHUB_TOKEN without Prefix leaks token

[rowi1de]

import * as core from '@actions/co[GitHub](https://github.com/actions/toolkit/tree/master/packages/github) [GitHub](https://github.com/actions/toolkit/tree/master/packages/github) re';
import { context, GitHub } from '@actions/github'

//comes from {{secrets.GITHUB_TOKEN}}
const repoToken = core.getInput('repo-token', { required: true })
core.setSecret(repoToken);
const client = new GitHub(repoToken)

Full source https://github.com/rowi1de/auto-assign-review-teams/blob/master/src/main.ts

will leak the token on error:

"Could not resolve to a node with the global id of 'M....c='."

19-11-22T16:44:34.9046342Z (node:2404) UnhandledPromiseRejectionWarning: HttpError: Validation Failed: "Could not resolve to a node with the global id of 'M....c='."
2019-11-22T16:44:34.9047036Z     at /home/runner/work/_actions/rowi1de/typescript-action/master/node_modules/@octokit/request/dist-node/index.js:66:23
2019-11-22T16:44:34.9047273Z     at processTicksAndRejections (internal/process/task_queues.js:89:5)
201

see actions/typescript-action#40

[ethomson]

I'm not sure what you mean by "without prefix"? Have you validated that the thing that you're seeing is the GITHUB_TOKEN? The message that you're posting looks like an error message from the GitHub API that's including the issue's node_id.

eg: https://github.com/octokit/rest.js/issues/531

[rowi1de]

@ethomson I mean I'm just passing
{{secrets.GITHUB_TOKEN}} into GitHub()

If I want to use the GITHUB_TOKEN for REST Calls directly, I would need to add it as the header --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
Will this be implicitly done by the used implementation?

I'm pretty sure: If I use a personal access token, put it into the Secrets of the Repo where the action is running it works without a problem.

[thboop]

Hey @rowi1de ,
This doesn't appear to be a leaking of the GitHub token, this is an error coming from the GitHub api. I believe the "token" in question is the graphql node. The GitHub token is not in that format.

Are all of the api's failing for you? Or is only a single api failing?

If you are seeing this as a result of your comment here

You may want to start a discussion in the GitHub community forums for the api, this doesn't appear to be a toolkit issue. It appears to be an issue with that api.

[rowi1de]

Hey @thboop

you are right, I was on the wrong path when creating the issue.
It only fails when trying to assign a team to a PR.

Thanks!