From 7653acb433d09cfbc8c6b2e384e5121acc655c0a Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Fri, 13 Feb 2026 17:37:31 -0800
Subject: [PATCH] wip 1.83

---
 CHANGELOG.md                                  |  2 +-
 crates/kingfisher-rules/data/rules/github.yml | 31 ++++++++++---------
 2 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d6ae926..47e1ab8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file.
 - Access Map: Hugging Face, Bitbucket, Postgres, and MongoDB credentials from scans are now auto-collected when using `--access-map`.
 - Access Map CLI: added providers `huggingface`/`hf`, `gitea`, `bitbucket`, `postgres`, `mongodb`/`mongo`.
 - Added `kingfisher.gitea.1` rule for Gitea access tokens with validation; self-revocation not supported (API requires Basic Auth).
-- Added revocation for GitHub App User-to-Server tokens (`ghu_`, `kingfisher.github.4`).
+- Added revocation for GitHub App Server-to-Server tokens (`ghs_`, `kingfisher.github.5`) via `DELETE /installation/token`. Note: `ghu_` (user-to-server) tokens cannot be self-revoked; they require the GitHub App's client credentials or manual revocation via GitHub Settings.
 - Fixed GitHub Access Map failing for all token types due to `GitHubUser` struct field mismatch (`_id` vs API `"id"`).
 
 ## [v1.82.0]
diff --git a/crates/kingfisher-rules/data/rules/github.yml b/crates/kingfisher-rules/data/rules/github.yml
index 18d93ab..2c37117 100644
--- a/crates/kingfisher-rules/data/rules/github.yml
+++ b/crates/kingfisher-rules/data/rules/github.yml
@@ -171,21 +171,9 @@ rules:
               words:
                 - '"login"'
                 - '"id"'
-    revocation:
-      type: Http
-      content:
-        request:
-          method: POST
-          url: https://api.github.com/credentials/revoke
-          headers:
-            Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
-            Content-Type: application/json
-          body: '{"credentials":["{{ TOKEN }}"]}'
-          response_matcher:
-            - report_response: true
-            - type: StatusMatch
-              status: [202]
+    # Revocation not supported: ghu_ tokens require the GitHub App's client_id
+    # and client_secret (DELETE /applications/{client_id}/token with Basic auth).
+    # Users can revoke via GitHub Settings > Applications > Authorized GitHub Apps.
   - name: GitHub App Server-to-Server Token
     id: kingfisher.github.5
     pattern: |
@@ -216,6 +204,19 @@ rules:
               words:
                 - '"login"'
                 - '"id"'
+    revocation:
+      type: Http
+      content:
+        request:
+          method: DELETE
+          url: https://api.github.com/installation/token
+          headers:
+            Authorization: token {{ TOKEN }}
+            Accept: application/vnd.github+json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [204]
   - name: GitHub Refresh Token
     id: kingfisher.github.6
     pattern: |