Reduce GitHub token scope needed to use gruntwork-install (from `repo` to `package:read`)

[singhprd]

This issue is not valid - gruntworks modules are published via GitHub releases, not packages.

---

Hello 👋

My name is Peter and I work at FreeAgent. We use Gruntworks extensively - thanks for your great work, it helps us a lot! I've got one quick request to raise however:

Currently the gruntwork-installer requires a GITHUB_OAUTH_TOKEN to be able to access the gruntworks modules as they live in private GitHub repositories.

This GITHUB_OAUTH_TOKEN currently needs to be a "Private Access Token" (link) with repo access. This means that the token has full read & write access to all repositories that that user has access to.

Describe the solution you'd like Following the principle of least privilege, would it be possible to alter the installer to only need a GITHUB_OAUTH_TOKEN with read:package access.

The binaries that are eventually installed (in the use cases I've come across) are published as packages to GitHub, but I think the gruntworks-installer fails because it queries the tags before installing (logs at the bottom).

This might require adding an optional parameter to manually specify the GitHub release?

Describe alternatives you've considered None

Additional context The motivation behind wanting not to have a repo scoped token in our pipeline is that we'd like to allow dependabot to create PR and run CI, but want to grant as few permissions to that workflow as possible to mitigate against a malicious package stealing tokens.

---

Failure log when using a GITHUB_OAUTH_TOKEN scoped to only package:read:

#8 0.830 2022-04-26 10:49:41 [INFO] [gruntwork-install] Installing gruntkms...
#8 1.048 [fetch] time="2022-04-26T10:49:41Z" level=error msg="\nReceived an HTTP 404 Response when attempting to query the repo for its tags.\n\nThis means that either no GitHub repo exists at the URL provided, or that you don't have permission to access it.\nIf the URL is correct, you may need to pass in a --github-oauth-token.\n\nUnderlying error message:\nReceived HTTP Response 404 while fetching releases for GitHub URL https://api.github.com/repos/gruntwork-io/gruntkms/tags?per_page=100. Full HTTP response: {\"message\":\"Not Found\",\"documentation_url\":\"https://docs.github.com/rest/reference/repos#list-repository-tags\"}\n\n"
#8 ERROR: process "/bin/sh -c curl -LSs https://raw.githubusercontent.com/gruntwork-io/gruntwork-installer/master/bootstrap-gruntwork-installer.sh | bash /dev/stdin --version \"$GRUNTWORK_INSTALLER_VERSION\" &&   gruntwork-install --repo \"[https://github.com/gruntwork-io/gruntkms\](https://github.com/gruntwork-io/gruntkms/)" --binary-name \"gruntkms\" --tag \"$GRUNTKMS_VERSION\"" did not complete successfully: exit code: 1

[singhprd]

Hello again.

I've realised now that the gruntworks modules are published as releases (not packages) - which still need the repo scope - they are not published as packages making this issue invalid with the way gruntworks patterns currently work.

I'll leave this issue open for you to triage (and close). Hopefully it might help document why the token is needed and perhaps might also spark some ideas about how to publish modules without needing quite as widely scoped a token - although GitHub make it quite hard to do it!

Thanks anyway.