doc: update doc on use of PAT for private repositories

[laurentsimon]

We need to verify whether PATs are still needed for private repositories, and update the doc if they are not.

[LeviPesin]

They are still needed.

[laurentsimon]

Thank you! Closing.

[laurentsimon]

Sorry. Here we want to verify whether "normal PATs" are needed for private repositories. Thanks for the link on fine-grained tokens. They are not supported for GraphQL either, yet.

[joshjohanning]

What is the PAT needed for?

In a test private repo, I was able to get this to work without a PAT. But I did comment out all of the permissions lines, which obviously yields 'findings' from this scan action.

[laurentsimon]

I think the PAT is needed for the branch protection check. You can keep the permissions line and it should work still work, but except for the branch protection check.

[joshjohanning]

I think the PAT is needed for the branch protection check.

ahh that makes sense