Security: GitHub token embedded in git remote URL in auto-generated lock file

[github-actions]

Summary

The auto-generated file .github/workflows/security-review.lock.yml embeds the GitHub token directly in the git remote URL:

git remote set-url origin "(x-access-token/redacted):${{ github.token }}@${SERVER_URL_STRIPPED}/…"

GitHub Actions masks known secrets in step log output, but the token is written into the git remote configuration (.git/config or the equivalent in-memory config), meaning it can be read via git remote -v output within the same job, which may or may not be masked depending on context.

Suggested Fix

Adopt the safer inline credential helper pattern (already used in the hand-authored monorepo-release.yml and python-release.yml workflows) that never persists the token:

git -c "credential.helper=!f() { printf 'username=x-access-token\npassword=%s\n' \"${GH_TOKEN}\"; }; f" \
  push "$REMOTE" "$TAG"

Root Cause

This file is auto-generated by gh aw compile. The fix should be made upstream in the gh-aw tooling. Consider opening an upstream issue/PR with the gh-aw project to adopt the credential helper approach.

Location

• File: .github/workflows/security-review.lock.yml
• Line: 305

Context

• Category: Authentication and Authorization / Secrets and Credentials
• Severity: Low (informational)
• Review comment:

  The GitHub token is embedded directly in the remote URL. GitHub Actions masks known secrets in step log output, but the token is written into the git remote configuration.

Related PR: #51

Generated by PR Review Comment Handler for issue #51