wip 1.83

2026-02-13 17:37:31 -08:00 · 2026-02-13 17:37:31 -08:00 · 7653acb433
commit 7653acb433
parent 816d5c40ba
2 changed files with 17 additions and 16 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file.
 - Access Map: Hugging Face, Bitbucket, Postgres, and MongoDB credentials from scans are now auto-collected when using `--access-map`.
 - Access Map CLI: added providers `huggingface`/`hf`, `gitea`, `bitbucket`, `postgres`, `mongodb`/`mongo`.
 - Added `kingfisher.gitea.1` rule for Gitea access tokens with validation; self-revocation not supported (API requires Basic Auth).
- Added revocation for GitHub App User-to-Server tokens (`ghu_`, `kingfisher.github.4`).
+- Added revocation for GitHub App Server-to-Server tokens (`ghs_`, `kingfisher.github.5`) via `DELETE /installation/token`. Note: `ghu_` (user-to-server) tokens cannot be self-revoked; they require the GitHub App's client credentials or manual revocation via GitHub Settings.
 - Fixed GitHub Access Map failing for all token types due to `GitHubUser` struct field mismatch (`_id` vs API `"id"`).

 ## [v1.82.0]
--- a/crates/kingfisher-rules/data/rules/github.yml
+++ b/crates/kingfisher-rules/data/rules/github.yml
@ -171,21 +171,9 @@ rules:
              words:
                - '"login"'
                - '"id"'
-    revocation:
-      type: Http
-      content:
-        request:
-          method: POST
-          url: https://api.github.com/credentials/revoke
-          headers:
-            Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
-            Content-Type: application/json
-          body: '{"credentials":["{{ TOKEN }}"]}'
-          response_matcher:
-            - report_response: true
-            - type: StatusMatch
-              status: [202]
+    # Revocation not supported: ghu_ tokens require the GitHub App's client_id
+    # and client_secret (DELETE /applications/{client_id}/token with Basic auth).
+    # Users can revoke via GitHub Settings > Applications > Authorized GitHub Apps.
  - name: GitHub App Server-to-Server Token
    id: kingfisher.github.5
    pattern: |
@ -216,6 +204,19 @@ rules:
              words:
                - '"login"'
                - '"id"'
+    revocation:
+      type: Http
+      content:
+        request:
+          method: DELETE
+          url: https://api.github.com/installation/token
+          headers:
+            Authorization: token {{ TOKEN }}
+            Accept: application/vnd.github+json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [204]
  - name: GitHub Refresh Token
    id: kingfisher.github.6
    pattern: |