[Feature/Idea]: Add documentation/support for fine-grained personal access tokens

[russellbanks]

What would you like to see changed/added?

GitHub has a new type of personal access token that are fine-grained and repository-scoped.

Fine-grained personal access tokens give developers granular control over the permissions and repository access they grant to a PAT.

The existing personal access tokens continue to be fully supported, and are now called personal access tokens (classic).

Personal access tokens (classic) are given permissions from a broad set of read and write scopes. They have access to all of the repositories and organizations that the user could access, and are allowed to live forever. As an example, the repo scope provides broad access to all data in private repositories the user has access to, in perpetuity.

Fine-grained personal access tokens, by contrast, are given permissions from a set of over 50 granular permissions that control access to GitHub’s organization, user, and repository APIs. Each permission can be granted on a ‘no access’, ‘read’ or ‘read and write’ basis. As an example, you can now create a PAT that can only read issues and do nothing else – not even read the contents of a repository.

In turn, setting one up for WinGet Releaser is more confusing, so documentation is needed to support this.

[russellbanks]

Whenever possible, GitHub recommends using fine-grained PATs instead of PATs (classic).