[cnuss]

The GitHub token that is used is a short-lived token that is generated new every time a GitHub action is run.

Ref: https://docs.github.com/en/actions/security-guides/automatic...

And the SAML.to backend first checks to make sure the token is valid by invoking:

Ref: https://docs.github.com/en/rest/reference/apps#list-reposito...

I haven't checked, but I assume GitHub invalidates the token when the GitHub Action finishes