Rename jobToken command to ghtoken

[Copilot]

Renamed GitHub CI/CD token exploit command from jobToken to ghtoken for consistency. The implementation already validates tokens, clones repositories, and pushes proof.txt files to test write access.

Changes

Command structure:

# Before
pipeleek gh jobToken exploit --token ghs-xxx --repo owner/repo

# After
pipeleek gh ghtoken exploit --token ghs-xxx --repo owner/repo

Directory/package renames:

• internal/cmd/github/jobToken/ → internal/cmd/github/ghtoken/
• pkg/github/jobtoken/ → pkg/github/ghtoken/
• tests/e2e/github/jobtoken/ → tests/e2e/github/ghtoken/

Configuration updates:

• Config keys: github.jobToken.* → github.ghtoken.*
• Env vars: PIPELEEK_GITHUB_JOBTOKEN_* → PIPELEEK_GITHUB_GHTOKEN_*
• Updated pipeleek.example.yaml and docs

Function/type renames:

• NewJobTokenRootCmd() → NewGhTokenRootCmd()
• Package jobtoken → ghtoken
• Test names: TestGHJobToken* → TestGHGhToken*

Behavior

Command executes three steps:

1. Validates GitHub Actions token via API
2. Clones target repository with token auth
3. Creates branch, commits proof.txt, pushes to test write access

Example output:

2026-02-11T07:05:40Z info GitHub Actions token validation succeeded
2026-02-11T07:05:40Z info Token authenticated as user user=testuser
2026-02-11T07:05:40Z info Successfully cloned repository
2026-02-11T07:05:40Z info Attempting to push branch (this tests write access)...

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: ./pipeleek ./pipeleek gh ghtoken exploit --token fake_token --repo test/repo paymongo.go github.com/truff-atomic m 0.1-go1.25.1.lin-buildtags -o om/headzoo/surf@-errorsas ux-amd64/src/net-ifaceassert rg/[email protected] /selectpdf.go ssSecurity/pipel--norc mpile rg/[email protected] (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR renames the GitHub CI/CD token exploit command from jobToken to ghtoken for better naming consistency. The command validates GitHub Actions tokens (GITHUB_TOKEN), clones target repositories, and creates proof-of-concept branches to test write access. The rename affects command structure, configuration keys, environment variables, and function/type names across the codebase.

Changes:

• Renamed GitHub command from gh jobToken to gh ghtoken (GitLab's jobToken remains unchanged)
• Updated configuration keys from github.jobToken.* to github.ghtoken.* with corresponding environment variable changes
• Moved packages/directories: internal/cmd/github/jobToken/ → internal/cmd/github/ghtoken/, similar for pkg/ and tests/e2e/

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tests/e2e/github/ghtoken/exploit_test.go	New E2E tests for ghtoken exploit command with happy path and error scenarios
tests/e2e/config/config_loader_test.go	Added Windows-specific file permission handling (with issues)
pkg/github/ghtoken/exploit/exploit.go	Core exploit logic: validates token, clones repo, creates proof branch
pipeleek.example.yaml	Added ghtoken configuration example under github section
internal/cmd/github/github.go	Registered ghtoken command in GitHub root command
internal/cmd/github/ghtoken/ghtoken_test.go	Unit test for ghtoken root command
internal/cmd/github/ghtoken/ghtoken.go	Root command definition with token prefix validation
internal/cmd/github/ghtoken/exploit/exploit.go	Exploit subcommand with AutoBindFlags configuration pattern
go.sum	Updated dependencies (moved go-git from indirect to direct)
go.mod	Added go-git/go-git/v5 as direct dependency
docs/introduction/configuration.md	Updated documentation with ghtoken configuration examples

[Copilot]

The error message does not follow the codebase convention. Other GitHub operations use "Failed fetching repository" for similar errors (see pkg/github/scan/scanner.go:259, pkg/github/container/artipacked/scanner.go:41, pkg/github/renovate/enum/enum.go:73). The current message should be changed to match this established pattern for consistency.

[Copilot]

Potential nil pointer dereference when accessing resp.StatusCode. If the error is not nil but resp is nil, this will cause a panic. Based on patterns in the codebase (e.g., pkg/github/renovate/privesc/privesc.go:101 and pkg/github/scan/scanner.go:255), you should check if resp is not nil before accessing its properties.

Suggested change

	log.Fatal().Stack().Err(err).Int("status", resp.StatusCode).Str("repo", repoPath).Msg("Repo API access blocked your GITHUB_TOKEN might not be valid anymore")
	event := log.Fatal().Stack().Err(err).Str("repo", repoPath)
	if resp != nil {
	event = event.Int("status", resp.StatusCode)
	}
	event.Msg("Repo API access blocked your GITHUB_TOKEN might not be valid anymore")