Support Request (Maybe Feature): How do we use ephemeral Github tokens with this?

[crouth-redge]

Is your feature request related to a problem? Please describe.

I'm trying to use this in tandem with https://github.com/tenjaa/concourse-github-app-token which uses an App ID and priv key to request an ephemeral token rather than relying on an individuals personal access token, however since this requires the token be defined at the resource level, I'm not sure how to get the token passed to the in: stage on a get task.

We're doing enough requests that we must have a token to query for releases or else we hit the API limit.

Describe the solution you'd like

I should be able to pass a github access token in at the in: stage so I can do the following with the two resources:

  - name: github-token
    type: github-token-resource
    source:
      appId: 123456 # can be looked up on the overview page of your app
      privateKey: ((pem_private_key_secret)) # https://docs.github.com/en/developers/apps/authenticating-with-github-apps#generating-a-private-key
      org: OurTeamsOrg # get a token for an app installed to an org account

  - name: gh-goss-release
    type: github-release
    check_every: never
    source:
      owner: aelsabbahy
      repository: goss
      tag_filter: "^v([^-]|-[^r]|-r[^c].)*$"

jobs:
 - name: get-3rd-party-packages-and-sync-to-internal-repo
    plan:
       - put: github-token # put forces to get a new token, even when rerunning a build (https://concourse-ci.org/builds.html#build-rerunning)
      - load_var: token
        file: github-token/token
        
      - get: gh-goss-release
        params:
          access_token: ((token))

Describe alternatives you've considered

Not sure there's another way to properly do this auth without creating accounts for bots which is against Githubs current policies/best practices.

Additional context

I may have missed something, if this is possible already please educate.