This solution works with a huge flaw. I gave users instructions to add the encoded PAT in the repository URL of their settings.xml
, so they can download artifacts from my repo when building their stuff. They don’t necessarily have a GitHub account, nor should need one for this, as long as they use the PAT I made for them.
But now this can be effortlessly broken at will by anybody! They just need to copy the un-encoded PAT (which is just one letter away) and uploading a .txt file with it to any random repo… BAM! GitHub will revoke the PAT for everybody.