Provide env var to use gh CLI in GHA

[maximiliankolb]

What changes are you introducing?

Provide env vars to use gh in GHA

Why are you introducing these changes? (Explanation, links to references, issues, etc.)

Original error message:

  Run gh run download '' -n pr
    gh run download '' -n pr
    shell: /usr/bin/bash -e {0}
  gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable. Example:
    env:
      GH_TOKEN: ${{ github.token }}

Anything else to add? (Considerations, potential downsides, alternative solutions you have explored, etc.)

Refs 71b5724 (PR 3587 on GitHub)

Checklists

• I am okay with my commits getting squashed when you merge this PR.
• I am familiar with the contributing guidelines.

no cherry-picks.

[ekohl]

From a security point of view I wonder if we should set this at the top level or not. I'd lean to being as specific as possible. @evgeni any thoughts?

[evgeni]

That'd mean adding it to every run that has gh?

[maximiliankolb]

Can we somehow use CODEOWNERS to prevent changes from non-maintainers in .github/* in PRs?

Applied in c4ffa1a

[evgeni]

non-maintainers can't merge, so I think that's fine?

[maximiliankolb]

True. But still a nice angle: PRs that change/introduce GHA that run on PRs and use that token. I can only hope it's similar to GitLab and tied to your user account.

[ekohl]

That'd mean adding it to every run that has gh?

More that any npm package we happen to pull in via surge also can access the env var.

[maximiliankolb]

We are one step further: https://github.com/theforeman/foreman-documentation/actions/runs/12830400048/job/35778499772

Run unzip pr.zip
  unzip pr.zip
  shell: /usr/bin/bash -e {0}
unzip:  cannot find or open pr.zip, pr.zip.zip or pr.zip.ZIP.
Error: Process completed with exit code 9.

[evgeni]

Ooooh, gh run download does unpack the artifact… handy?