Support broader token scopes for recursion into private/internal repos

[joshjohanning]

Problem

PR #61 added recursion into remote composite actions and reusable workflows via octokit.rest.repos.getContent(). This works for public repos on github.com, but silently fails (404) for private or internal repos since the default GITHUB_TOKEN only has contents: read for the triggering repo, not cross-repo.

This is a common scenario — many organizations keep reusable workflows in a private shared repository.

Current behavior

When recursion encounters a private/internal repo, fetchRemoteFile returns { found: false } and the nested action references are not scanned. No error is thrown — it degrades gracefully.

Proposed solution

Document that the existing github-token input needs a broader-scoped token (PAT or GitHub App token with cross-repo contents: read) if users want recursion into private/internal repos.

Document an example using the create app token action.

Considerations

• The immutability check itself always hits the github.com API (by design) — this is only about fetching file contents for recursion
• A GitHub App token with contents: read across the org (or repos that have reusable workflows / actions) would be the least-privilege option
• Should document this limitation in the README regardless