docs: document fine-grained token scopes for ORG_SCORECARD_TOKEN

[don-petry]

Documents the required Fine-Grained Personal Access Token scopes (specifically Administration: Read-only) for the ORG_SCORECARD_TOKEN to resolve false-positive compliance audit issues regarding repository settings like delete_branch_on_merge.

Summary by CodeRabbit

• Documentation

  • Added explicit guidance for CI audit tokens: required repository access and specific fine‑grained read-only permissions needed for scorecard/audit workflows.

• Bug Fixes

  • Improved authentication preflight error message to clearly tell operators which token and fine‑grained repository permissions to verify for successful validation.

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 55 minutes and 23 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 147aaeaf-5167-4a29-9b3c-42b2e9734a9b

📥 Commits

Reviewing files that changed from the base of the PR and between 63cc4c5 and a16078c.

📒 Files selected for processing (2)

• .gitignore
• scripts/compliance-audit.sh

📝 Walkthrough

Walkthrough

This PR updates token scope requirements for the OpenSSF Scorecard integration across two coordinated locations: the compliance audit script's error message now directs operators to verify ORG_SCORECARD_TOKEN validity and Fine-Grained token scopes, and the CI standards documentation now explicitly specifies those scope requirements.

Changes

ORG_SCORECARD_TOKEN scope requirements

Layer / File(s)	Summary
Token scope error message and documentation scripts/compliance-audit.sh, standards/ci-standards.md	Updated the gh auth status failure message to reference Fine-Grained token scope requirements (Administration: Read-only, Metadata: Read-only) and added corresponding documentation detailing repository access and explicit scope requirements for ORG_SCORECARD_TOKEN.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• petry-projects/.github#12: Updates to the compliance audit script and ORG_SCORECARD_TOKEN scope guidance relate to the initial introduction and usage of org token configuration.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: documenting fine-grained token scopes for ORG_SCORECARD_TOKEN, which is the core objective of both the script and documentation updates.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update-scorecard-token-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the compliance audit script and documentation to clarify the requirements for the ORG_SCORECARD_TOKEN when using Fine-Grained Personal Access Tokens. The reviewer suggested including the necessary Organization-level 'Metadata: Read-only' scope in both the script's error message and the documentation to ensure repository discovery works correctly. Additionally, it was recommended to specify 'Read and write' access for Issues since the script manages them.

[Copilot]

Pull request overview

This PR updates the org standards documentation and audit-script messaging to clarify required Fine-Grained PAT permissions for ORG_SCORECARD_TOKEN, intended to prevent false-positive compliance findings when reading repository settings such as delete_branch_on_merge.

Changes:

• Document Fine-Grained PAT requirements for ORG_SCORECARD_TOKEN in standards/ci-standards.md.
• Update the gh auth status failure message in scripts/compliance-audit.sh to reference Fine-Grained PAT permissions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
standards/ci-standards.md	Adds documentation for the Fine-Grained PAT permissions needed by ORG_SCORECARD_TOKEN.
scripts/compliance-audit.sh	Adjusts authentication failure guidance to mention Fine-Grained PAT permissions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/compliance-audit.sh`:
- Line 1319: Update the error message string that currently says "Check that
ORG_SCORECARD_TOKEN is valid. If using a Fine-Grained token, ensure it has
'Administration: Read-only' and 'Metadata: Read-only' repository scopes." to
either enumerate all five required Fine-Grained token scopes (Administration:
Read-only; Metadata: Read-only; Contents: Read-only; Issues: Read and write;
Organization: Metadata (Read-only)) or replace the inline scope list with a
short pointer to the full documentation (e.g., "see standards/ci-standards.md
lines 964-968") so operators receive complete remediation guidance; locate and
edit the exact message literal in scripts/compliance-audit.sh that emits the
ORG_SCORECARD_TOKEN guidance.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4167fc72-e5e4-414e-aa59-bfece5cca38b

📥 Commits

Reviewing files that changed from the base of the PR and between 3403601 and a4ca4f8.

📒 Files selected for processing (2)

• scripts/compliance-audit.sh
• standards/ci-standards.md

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[donpetry-bot]

Superseded by automated re-review at 70d8cd39c7d570d9c64bbbfe4de82f996ead1e7c — click to expand prior review.

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[donpetry-bot]

Superseded by automated re-review at da5fa6b1f4bb527ed6b83b62d64236caec6c2a2f — click to expand prior review.

Review — fix requested (cycle 2/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[coderabbitai]

♻️ Duplicate comments (1)

scripts/compliance-audit.sh (1)

1697-1697: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Incomplete token scope list in error message — still unresolved.

This error message only mentions 2 of the 5 required Fine-Grained token scopes documented in standards/ci-standards.md lines 1063-1067. Operators encountering authentication failures will not receive complete remediation guidance.

Missing from the error message:

• Contents: Read-only
• Issues: Read and write
• Organization: Metadata (Read-only)

This issue was previously flagged and marked as "Addressed" but the incomplete scope list remains in the current code.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/compliance-audit.sh` at line 1697, Update the error message that
warns about ORG_SCORECARD_TOKEN validity to list all five required Fine-Grained
token scopes; modify the string that currently mentions "Administration:
Read-only" and "Metadata: Read-only" to also include "Contents: Read-only",
"Issues: Read and write", and "Organization: Metadata (Read-only)" so operators
see the complete remediation guidance for ORG_SCORECARD_TOKEN.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@scripts/compliance-audit.sh`:
- Line 1697: Update the error message that warns about ORG_SCORECARD_TOKEN
validity to list all five required Fine-Grained token scopes; modify the string
that currently mentions "Administration: Read-only" and "Metadata: Read-only" to
also include "Contents: Read-only", "Issues: Read and write", and "Organization:
Metadata (Read-only)" so operators see the complete remediation guidance for
ORG_SCORECARD_TOKEN.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ea71fe43-3547-494b-b13a-828a99622d85

📥 Commits

Reviewing files that changed from the base of the PR and between a4ca4f8 and afa6250.

📒 Files selected for processing (2)

• scripts/compliance-audit.sh
• standards/ci-standards.md

[coderabbitai]

♻️ Duplicate comments (1)

scripts/compliance-audit.sh (1)

1697-1697: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Error message lists incomplete Fine-Grained token scopes.

This error message only mentions 2 of the 5 required Fine-Grained token scopes documented in standards/ci-standards.md (lines 1059-1067). Operators who encounter this authentication failure won't receive complete remediation guidance.

Missing scopes from error message:

• Contents: Read-only (repository)
• Issues: Read and write (repository)
• Organization: Metadata (Read-only) (organization scope for listing repositories)

As per the context snippet from standards/ci-standards.md, the complete list is: "Administration: Read-only, Metadata: Read-only, Contents: Read-only, and Issues: Read and write. Additionally, it requires Organization: Metadata (Read-only) to list repositories in the organization."

Additionally, this line exceeds the 100-character guideline for shell scripts.

🔧 Proposed fix (Option 1: Reference documentation)

-    echo "::error::gh auth failed — GH_TOKEN is set but authentication did not succeed." \
-      "Check that ORG_SCORECARD_TOKEN is valid. If using a Fine-Grained token, ensure it has 'Administration: Read-only' and 'Metadata: Read-only' repository scopes." >&2
+    echo "::error::gh auth failed — GH_TOKEN is set but authentication did not succeed. " \
+      "Check that ORG_SCORECARD_TOKEN is valid. If using a Fine-Grained token, verify all " \
+      "required repository and organization scopes are configured per " \
+      "standards/ci-standards.md#openssf-scorecard-org-scorecardyml" >&2

Option 2: List all scopes inline (less maintainable)

-    echo "::error::gh auth failed — GH_TOKEN is set but authentication did not succeed." \
-      "Check that ORG_SCORECARD_TOKEN is valid. If using a Fine-Grained token, ensure it has 'Administration: Read-only' and 'Metadata: Read-only' repository scopes." >&2
+    echo "::error::gh auth failed — GH_TOKEN is set but authentication did not succeed. " \
+      "Check that ORG_SCORECARD_TOKEN is valid. If using a Fine-Grained token, ensure it has " \
+      "repository scopes: 'Administration: Read-only', 'Metadata: Read-only', " \
+      "'Contents: Read-only', 'Issues: Read and write'; and organization scope: " \
+      "'Metadata: Read-only' (to list repositories)." >&2

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/compliance-audit.sh` at line 1697, Update the error string that
currently reads "Check that ORG_SCORECARD_TOKEN is valid. If using a
Fine-Grained token, ensure it has 'Administration: Read-only' and 'Metadata:
Read-only' repository scopes." to list all required Fine‑Grained token scopes
per standards/ci-standards.md (Administration: Read-only, Metadata: Read-only,
Contents: Read-only, Issues: Read and write, and Organization: Metadata
(Read-only)) and reflow/wrap the message to respect the 100‑character line limit
in the shell script; locate and edit the exact echoed/error message string in
scripts/compliance-audit.sh to make these replacements.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@scripts/compliance-audit.sh`:
- Line 1697: Update the error string that currently reads "Check that
ORG_SCORECARD_TOKEN is valid. If using a Fine-Grained token, ensure it has
'Administration: Read-only' and 'Metadata: Read-only' repository scopes." to
list all required Fine‑Grained token scopes per standards/ci-standards.md
(Administration: Read-only, Metadata: Read-only, Contents: Read-only, Issues:
Read and write, and Organization: Metadata (Read-only)) and reflow/wrap the
message to respect the 100‑character line limit in the shell script; locate and
edit the exact echoed/error message string in scripts/compliance-audit.sh to
make these replacements.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: abee9d64-1da9-45bc-930a-84707797a74c

📥 Commits

Reviewing files that changed from the base of the PR and between afa6250 and 63cc4c5.

📒 Files selected for processing (1)

• scripts/compliance-audit.sh

[don-petry]

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud