From 89808c39bb1f4d554d5514e2145546527bf9d802 Mon Sep 17 00:00:00 2001
From: jdx <216188+jdx@users.noreply.github.com>
Date: Sat, 6 Sep 2025 08:31:33 -0500
Subject: [PATCH] chore: use fine-grained gh token

---
 .github/workflows/docker.yml         |  2 +-
 .github/workflows/docs.yml           |  2 +-
 .github/workflows/hyperfine.yml      |  2 +-
 .github/workflows/registry.yml       |  2 +-
 .github/workflows/release-alpine.yml |  6 +++---
 .github/workflows/release-fig.yml    |  4 ++--
 .github/workflows/release-plz.yml    |  4 ++--
 .github/workflows/release.yml        | 10 +++++-----
 .github/workflows/test-plugins.yml   |  2 +-
 .github/workflows/test-vfox.yml      |  2 +-
 .github/workflows/test.yml           |  2 +-
 .github/workflows/winget.yml         |  4 ++--
 xtasks/test/coverage                 |  4 ----
 13 files changed, 21 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 3941d68327..ab9ebdaa4c 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -12,7 +12,7 @@ concurrency:
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
-  GITHUB_API_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || github.token }}
+  GITHUB_API_TOKEN: ${{ secrets.MISE_GH_TOKEN || github.token }}
 
 jobs:
   docker:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 93a2e8410c..ece674941b 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -20,7 +20,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GITHUB_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
 
 jobs:
   docs:
diff --git a/.github/workflows/hyperfine.yml b/.github/workflows/hyperfine.yml
index 0014d3741f..db5cfcc11d 100644
--- a/.github/workflows/hyperfine.yml
+++ b/.github/workflows/hyperfine.yml
@@ -13,7 +13,7 @@ concurrency:
 
 env:
   CARGO_TERM_COLOR: always
-  GITHUB_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
   MISE_EXPERIMENTAL: 1
 
 permissions:
diff --git a/.github/workflows/registry.yml b/.github/workflows/registry.yml
index cd7f1829a8..919f7f7765 100644
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -21,7 +21,7 @@ env:
   MISE_EXPERIMENTAL: 1
   MISE_LOCKFILE: 1
   RUST_BACKTRACE: 1
-  GITHUB_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
 
 jobs:
   build:
diff --git a/.github/workflows/release-alpine.yml b/.github/workflows/release-alpine.yml
index 9c9b856706..cd28106ed7 100644
--- a/.github/workflows/release-alpine.yml
+++ b/.github/workflows/release-alpine.yml
@@ -16,9 +16,9 @@ concurrency:
 
 env:
   DRY_RUN: ${{ github.event_name == 'release' && '0' || (github.event_name == 'workflow_dispatch' && (github.event.inputs.dry_run && '1' || '0')) || '1' }}
-  GITHUB_API_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
-  GITHUB_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
-  GH_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
+  GITHUB_API_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
+  GH_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
 
 jobs:
   bump-alpine:
diff --git a/.github/workflows/release-fig.yml b/.github/workflows/release-fig.yml
index f5c4227b09..a2b27e4f2c 100644
--- a/.github/workflows/release-fig.yml
+++ b/.github/workflows/release-fig.yml
@@ -13,7 +13,7 @@ jobs:
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }}
+          token: ${{ secrets.MISE_GH_TOKEN }}
       - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2
         with:
           shared-key: build
@@ -32,7 +32,7 @@ jobs:
       - name: Create Autocomplete PR ## Create the autocomplete PR using this action
         uses: withfig/push-to-fig-autocomplete-action@fb320c27ec12b225b9446373aa30b7d9c0c1eae8 # v2
         with:
-          token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }}
+          token: ${{ secrets.MISE_GH_TOKEN }}
           autocomplete-spec-name: mise
           spec-path: tasks/fig/src/mise.ts
           pr-body: "Automated PR for latest mise release by https://github.com/jdx/mise"
diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
index 0444ed5d18..decd1cbc63 100644
--- a/.github/workflows/release-plz.yml
+++ b/.github/workflows/release-plz.yml
@@ -20,7 +20,7 @@ env:
   NPM_CONFIG_FUND: false
   RUST_BACKTRACE: 1
   CARGO_TERM_COLOR: always
-  GITHUB_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
 
 jobs:
   release-plz:
@@ -31,7 +31,7 @@ jobs:
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }}
+          token: ${{ secrets.MISE_GH_TOKEN }}
       - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6
         with:
           gpg_private_key: ${{ secrets.MISE_GPG_KEY }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e34fdf7b31..3750c9ad1b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,9 +13,9 @@ env:
   CARGO_TERM_COLOR: always
   DRY_RUN: ${{ startsWith(github.event.ref, 'refs/tags/v') && '0' || '1' }}
   RUST_BACKTRACE: 1
-  GITHUB_API_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
-  GITHUB_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
-  GH_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
+  GITHUB_API_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
+  GH_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
 
 jobs:
   build-tarball:
@@ -280,7 +280,7 @@ jobs:
             --draft \
             releases/$VERSION/*
         env:
-          GH_TOKEN: ${{ secrets.RTX_GITHUB_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.MISE_GH_TOKEN }}
       - name: Publish Release Assets to CDN
         if: startsWith(github.event.ref, 'refs/tags/v')
         run: mise x -- scripts/publish-release.sh
@@ -294,4 +294,4 @@ jobs:
           VERSION="$(./scripts/get-version.sh)"
           gh release edit "$VERSION" --draft=false
         env:
-          GH_TOKEN: ${{ secrets.RTX_GITHUB_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.MISE_GH_TOKEN }}
diff --git a/.github/workflows/test-plugins.yml b/.github/workflows/test-plugins.yml
index 0b3ad5c567..d0abc90943 100644
--- a/.github/workflows/test-plugins.yml
+++ b/.github/workflows/test-plugins.yml
@@ -17,7 +17,7 @@ on:
 
 env:
   CARGO_TERM_COLOR: always
-  GITHUB_API_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
+  GITHUB_API_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
 
 jobs:
   build-linux:
diff --git a/.github/workflows/test-vfox.yml b/.github/workflows/test-vfox.yml
index 63ffb24b16..2aeb2ab707 100644
--- a/.github/workflows/test-vfox.yml
+++ b/.github/workflows/test-vfox.yml
@@ -17,7 +17,7 @@ env:
   MISE_EXPERIMENTAL: 1
   MISE_LOCKFILE: 1
   RUST_BACKTRACE: 1
-  GITHUB_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
 
 jobs:
   "test-vfox":
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 73bc44b858..2eaf67b5de 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -18,7 +18,7 @@ env:
   MISE_EXPERIMENTAL: 1
   MISE_LOCKFILE: 1
   RUST_BACKTRACE: 1
-  GITHUB_TOKEN: ${{ secrets.MY_RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN }}
 
 permissions:
   pull-requests: write
diff --git a/.github/workflows/winget.yml b/.github/workflows/winget.yml
index ea2d962114..6f2331a839 100644
--- a/.github/workflows/winget.yml
+++ b/.github/workflows/winget.yml
@@ -10,7 +10,7 @@ jobs:
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           repository: jdx/winget-pkgs
-          token: ${{ secrets.RTX_GITHUB_BOT_TOKEN }}
+          token: ${{ secrets.MISE_GH_TOKEN }}
           fetch-depth: 0
       - run: git config user.name mise-en-dev
       - run: git config user.email release@mise.jdx.dev
@@ -21,4 +21,4 @@ jobs:
         with:
           identifier: jdx.mise
           max-versions-to-keep: 5
-          token: ${{ secrets.RTX_GITHUB_BOT_TOKEN }}
+          token: ${{ secrets.MISE_GH_TOKEN }}
diff --git a/xtasks/test/coverage b/xtasks/test/coverage
index c5e9d9c4bd..8eba5dcaae 100755
--- a/xtasks/test/coverage
+++ b/xtasks/test/coverage
@@ -3,10 +3,6 @@
 
 echo "::group::Setup"
 set -euxo pipefail
-# shellcheck disable=SC1090
-if [[ -n ${MISE_GITHUB_BOT_TOKEN:-} ]]; then
-	export GITHUB_API_TOKEN="$MISE_GITHUB_BOT_TOKEN"
-fi
 export CARGO_TARGET_DIR="${CARGO_TARGET_DIR:-$PWD/target}"
 export PATH="${CARGO_TARGET_DIR}/debug:$PATH"