ci(lint): fix invalid GitHub PAT format in lint-changed-files

[d-morrison]

Problem

The lint-changed-files job has been failing on PRs (e.g. run on #241) with:

Error in `validate_gh_pat()`:
! Invalid GitHub PAT format

Root cause: the R gh package reads the GITHUB_PAT env var and runs validate_gh_pat() on it. The auto-provisioned secrets.GITHUB_TOKEN is now a ghs_-style server-to-server token whose format gh rejects (it only accepts 40-hex, ghp_, or github_pat_). So the "Extract and lint files changed by this PR" step aborts before any linting runs.

see r-lib/gh#231 and r-lib/gh#232 for details

Fix

Unset GITHUB_PAT and pass the token explicitly via .token= (which bypasses the PAT format check), setting GITHUB_TOKEN: ${{ github.token }} on the step. This mirrors the fix already applied in the shigella repo.

Once merged into main, branches (including #241) will pick it up after merging main in.

🤖 Generated with Claude Code

[claude]

Claude finished @d-morrison's task in 1m 1s —— View job

---

Code Review

• Gathering context
• Read changed files
• Analyze changes
• Post review feedback

---

Overall: Correct fix, clean implementation. Approved.

The PR correctly identifies and resolves the root cause: the R gh package's validate_gh_pat() only accepts tokens with 40-hex, ghp_, or github_pat_ prefixes, but GitHub Actions' auto-provisioned GITHUB_TOKEN now issues ghs_-style server-to-server tokens that fail this check.

What the fix does

1. Removes the job-level GITHUB_PAT env var — eliminates the problematic mapping of ghs_-style token into the env var that gh auto-reads.
2. Adds Sys.unsetenv("GITHUB_PAT") — defensive guard against org/repo-level secrets or future workflow changes reintroducing GITHUB_PAT.
3. Passes .token = Sys.getenv("GITHUB_TOKEN") explicitly — the .token parameter bypasses validate_gh_pat() entirely, which is the correct bypass for non-legacy token formats.
4. Sets GITHUB_TOKEN: ${{ github.token }} at step scope — correctly scopes the token to where it's needed, using the modern github.token expression (equivalent to secrets.GITHUB_TOKEN).

Minor notes

• github.token vs secrets.GITHUB_TOKEN (.github/workflows/lint-changed-files.yaml:51): Using github.token is the preferred modern form — no issue here.
• Sys.unsetenv("GITHUB_PAT") necessity: Since the job-level env: block was removed, this call isn't strictly required in the current state (GitHub Actions doesn't auto-expose repository secrets as env vars). However, it's good defensive hygiene and correctly guards against future regressions. No change needed.
• permissions: read-all (line 8): Already present at the workflow level, so the PR files API call has sufficient read access.

No bugs, security issues, or logic problems found. The fix mirrors the pattern used in the shigella repo and is the standard approach for this class of problem with the R gh package.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.