[Security] scoop.yml — PAT inlined in git clone URL, inconsistent with earlier url.insteadOf pattern

[Christophe-Rogiers]

Severity: Warning
File: .github/workflows/scoop.yml line 147

Description:
The workflow already demonstrates the hardened pattern for authenticated git operations earlier in the same file. Lines 88–97 set up an env variable and rewrite https://github.com/ with url.insteadOf, so no subsequent git command has the PAT on its argv:

# scoop.yml:88–97 (good)
env:
  GH_PAT: ${{ secrets.PAT }}
run: |
    git config --global url."https://x-access-token:${env:GH_PAT}@github.com/".insteadOf "https://github.com/"
    git clone https://github.com/aelassas/scoop-bucket.git scoop-bucket

The second authenticated clone at line 147 reverts to inlining the secret into the URL:

# scoop.yml:147 (inconsistent)
run: |
    git clone https://x-access-token:${{ secrets.PAT }}@github.com/aelassas/Extras.git extras

With ${{ secrets.PAT }} substituted into a run: block, the expanded command ends up in the shell trace path; even with Actions' automatic secret-masking in logs this has been a recurring source of leaks on failure paths (e.g., git prompting on stderr, credential helpers echoing). It is also internally inconsistent with the file's own earlier hardening.

Suggested fix:
Reuse the same env + url.insteadOf approach for the second clone. Either keep the global git config from the earlier step active (no teardown between steps) or re-declare it:

env:
  GH_PAT: ${{ secrets.PAT }}
run: |
    git config --global url."https://x-access-token:${env:GH_PAT}@github.com/".insteadOf "https://github.com/"
    git clone https://github.com/aelassas/Extras.git extras

[aelassas]

All fixed.