Warn if a private registry configuration uses a PAT, but has no username

[mbg]

To authenticate using a PAT, the corresponding username is required. Using a PAT on its own, without the corresponding username, does not work.

This PR modifies the start-proxy action to check whether a configuration seems to use a GitHub PAT without a username and issue a warning in that case.

In the process, I also taught the artifact scanner about fine-grained tokens (start with github_pat_ and are longer than classic PATs) and extended the tests there.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

• Managed - Impacts users with dynamic workflows (Default Setup, CCR, ...).

Products:

• Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
• Code Quality - The changes impact analyses when analysis-kinds: code-quality.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
• GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

• Test repository - This change will be tested on a test repository before merging.
• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This PR adds detection of PAT misuse in private registry credentials and enhances the artifact scanner to recognize fine-grained GitHub tokens, with corresponding test coverage and support utilities.

Changes:

• Extend the artifact scanner with a TokenType enum, reusable token patterns (including fine-grained PATs), and an exported isAuthToken helper used both in scanning and elsewhere.
• Update getCredentials in start-proxy.ts to warn when a GitHub PAT (classic or fine-grained) is used without a username, and add tests to verify logging behavior.
• Introduce makeTestToken and expand artifact-scanner tests to systematically validate token detection and logging for all supported token types.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/testing-utils.ts	Adds makeTestToken helper for generating deterministic token-like strings used in new tests.
src/start-proxy.ts	Imports the artifact scanner, introduces isPAT, and logs a warning when credentials use a PAT without a username.
src/start-proxy.test.ts	Adds a test that verifies getCredentials still accepts PAT-based credentials but logs the expected warning when no username is provided.
src/artifact-scanner.ts	Refactors token pattern handling into typed TokenType/TokenPattern, adds explicit PAT patterns (classic & fine-grained), exposes isAuthToken, and adapts scanning to use the typed patterns.
src/artifact-scanner.test.ts	Reworks tests to cover makeTestToken, isAuthToken, and all token types in scanArtifactsForTokens, checking both thrown error messages and logged summaries.
lib/* (multiple files)	Generated JavaScript outputs corresponding to the updated TypeScript sources; not manually reviewed per repository guidelines.

[Copilot]

isAuthToken iterates over TokenPattern values whose regexes all use the /g flag and calls pattern.test(value) directly. Because RegExp.prototype.test with a global regex mutates and uses lastIndex, repeated calls with the same value can alternate between true and false, so isAuthToken is not reliably idempotent and may fail to detect tokens on subsequent calls. Consider either resetting pattern.lastIndex before each test or using non-global regexes for this helper (while keeping the /g-flagged patterns for the scanning code that needs them).

[Copilot]

Unused variable exec.