I have an API that is being called from a long running github action. There is a github token, GITHUB_TOKEN, which can be sent with requests to my API, but I can't find a way to verify which repo the token came from. Environment variable GITHUB_REPOSITORY is set in the action and I can ferry that along into my API, but I can't be certain that a bad actor isn't using a different github action and simply injecting their own GITHUB_REPOSITORYand sending it along to my API.

I tried to call https://api.github.com/user like:

curl --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
      https://api.github.com/user

but it responds:

{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://docs.github.com/rest/reference/users#get-the-authenticated-user"
}

I can only do certain github api calls with a token for the wrong repo, but many of these actions work for public github repos.

Given a GITHUB_TOKEN, how can I validate which repo the action token is from in both public and private repo actions? I'd prefer to do this in a read-only fashion. If I have to, I'll do it with some silly write to the repo which only github-actions for that repo may do, hopefully followed by an immediate erasure of my write.