#!/bin/bash
# Save the GitHub PAT to a persistent env file for the releasekit-maintain cronjobs.
# Usage: bash /tmp/save-token.sh
# It will prompt for the token via stdin (not visible to logs).

read -r -s -p "Paste your GitHub PAT (input hidden): " TOKEN
echo ""
if [ ${#TOKEN} -lt 30 ]; then
  echo "Token too short (${#TOKEN} chars); expected 40+."
  exit 1
fi

# Persist with restrictive perms
mkdir -p ~/.hermes/secrets
chmod 700 ~/.hermes/secrets
printf 'GITHUB_TOKEN=%s\n' "$TOKEN" > ~/.hermes/secrets/github.env
chmod 600 ~/.hermes/secrets/github.env

# Verify it loads
set -a; source ~/.hermes/secrets/github.env; set +a
echo "len=${#GITHUB_TOKEN}"
curl -sS -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/user | python3 -c "import json,sys;print('login=',json.load(sys.stdin).get('login'))"