fix secret

[markovejnovic]

No description provided.

[mesa-dot-dev]

Mesa Description

This PR addresses an issue with secret management.

^{Description generated by Mesa. Update settings}

[mesa-dot-dev]

Performed full review of de56c63...49c7224

Analysis

• Token consolidation violates least-privilege principle if CI_GIT_PAT has broader scope than the workflow-specific DEPOT_TOKEN; this increases blast radius and security risk if the centralized secret is compromised.

• Insufficient validation that CI_GIT_PAT has explicit cross-repository artifact read permissions required for proto downloads; token misconfiguration could break the pipeline silently or expose unintended access.

• Lack of documented rationale for the credential swap; no audit trail explaining the deprecation of DEPOT_TOKEN or justification for centralizing on a shared PAT, making future maintenance and security reviews harder.

• Potential inconsistency across environments if CI_GIT_PAT is not consistently configured or available in all deployment contexts where this workflow runs.

Tip

Help

Slash Commands:

• /review - Request a full code review
• /review latest - Review only changes since the last review
• /describe - Generate PR description. This will update the PR body or issue comment depending on your configuration
• /help - Get help with Mesa commands and configuration options

^{0 files reviewed | 1 comments | Edit Agent Settings • Read Docs}

[mesa-dot-dev]

By switching this step to secrets.CI_GIT_PAT, the download now depends on that PAT having read access to the depot repo’s artifacts (e.g., actions:read/repo). The previous DEPOT_TOKEN looked purpose-built for this workflow, so if CI_GIT_PAT is broader-scoped but lacks artifact access—or simply isn’t defined in this repo—the job will start failing when it tries to fetch the proto. Can we confirm the secret exists with the necessary permissions or document why this token is preferred?

Agent: 🎃 Charlie •  • 

Prompt for Agent

Task: Address review feedback left on GitHub.
Repository: mesa-dot-dev/sdk-rust#10
File: .github/workflows/accept_proto.yml#L64
Action: Open this file location in your editor, inspect the highlighted code, and resolve the issue described below.

Feedback:
By switching this step to `secrets.CI_GIT_PAT`, the download now depends on that PAT having read access to the depot repo’s artifacts (e.g., `actions:read`/`repo`). The previous `DEPOT_TOKEN` looked purpose-built for this workflow, so if `CI_GIT_PAT` is broader-scoped but lacks artifact access—or simply isn’t defined in this repo—the job will start failing when it tries to fetch the proto. Can we confirm the secret exists with the necessary permissions or document why this token is preferred?