Description
What's the problem this feature will solve?
When cloning a private repository, we generate a token with read-only access, with the "contents" permission (https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents). But GH by default also grants "Metadata" access (https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-metadata).
Having metadata access, gives the token access to things like querying the events of the repository, collaborators, comments done in a commit, and more, which feels leaky.
Describe the solution you'd like
Maybe remove the token after doing the clone. But this will mean users can't interact with the repository in the "post_checkout" step. We have several examples that rely on having access to the repository in that step (like unshallowing the repo).
Alternative solutions
Just document that behavior, and warn users that if they have a private repo, they should be aware of this and don't show the token on the build if they have a public version, and that anyone who can open a PR on the repository may be able to leak the token.