- Fix subdirectory matching: use prefix match for .github/* paths
instead of exact dirname match (fixes .github/workflows/ not matching)
- Upgrade tj-actions/changed-files from v44 to v47 (Node 24 support)
- Extract detection logic into scripts/detect-pipeline.sh for testability
- Add 22 automated tests in scripts/test-detect-pipeline.sh covering
infra-only, plugin code, mixed, and edge cases
- Add test-detection-logic CI job to run tests on every PR
- Update README.md to reference v47
cc @cpfarhood
Co-Authored-By: Paperclip <noreply@paperclip.ing>
This script was previously unversioned at /paperclip/privilegedescalation/agents/.
Moving it here enables proper PR-based review of changes.
The script generates GitHub App installation access tokens by:
1. Building a JWT using the GitHub App ID and PEM key
2. Fetching the installation ID
3. Exchanging for an installation access token
Used by all agents for GitHub API access.
Co-authored-by: Hugh Hackman <hugh@privilegedescalation>
Chris Farhood
privilegedescalation-engineer[bot]