From 8c97cf9cd044e0b0f5342b97259b9ee8ca2a01ca Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@zulip.com>
Date: Thu, 20 Nov 2025 15:35:03 +0000
Subject: [PATCH] closed-by-commit: Broaden validation of Github secret tokens.

---
 tools/closed-by-commits | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/tools/closed-by-commits b/tools/closed-by-commits
index b97dd71bf2..a128f135c7 100755
--- a/tools/closed-by-commits
+++ b/tools/closed-by-commits
@@ -369,9 +369,12 @@ class CommitRangeAnalyzer:
 
 
 def validate_github_token(value: str) -> str:
-    if not value.startswith("github_"):
-        raise typer.BadParameter("Github access tokens start with `github_`")
-    return value
+    # https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github#githubs-token-formats
+    if value.startswith("github_"):
+        return value
+    if re.match(r"gh[pousr]_", value):
+        return value
+    raise typer.BadParameter("Github access tokens start with `github_`, or `gh`")
 
 
 from enum import Enum