What would you like to see changed/added?

Hi! I was recently going through setting this up on one of my own applications as it looks great. However, as I was setting it up, I noted that the README currently mentions:

New fine-grained PATs can't access GitHub's GraphQL API, so they aren't supported by this action. Refer to cli/cli#6680 for more information.

However, going to the linked issue, as of a few weeks ago, it seems like fine-grained PATs can now call the GraphQL API.

If winget-releaser doesn't currently work with these, then it would be nice if they did (would be happy to try and help if that would be desired), along with instructions on how to use them. And whether it does or does not already support fine-grained PATs, I think it would be good to update the README to be more accurate.

@ClementTsang You can use a fine-grained token and if it works, I will update the docs (you're also welcome to contribute to it, would be more than happy 😃) accordingly. Please start with the lowest set of permissions and go higher step-by-step. People are extremely concerned about security, so just the required permissions should be mentioned in README.

Tried it with a fine-grained token - unfortunately, it seems like there's a small issue with creating the PR itself (the branch is created fine though), and I get this error:

Found forked winget-pkgs repository: ClementTsang/winget-pkgs
  Failed to create pull request after 3 attempts.
  Reason: {"message":"Resource not accessible by personal access token","documentation_url":"https://docs.github.com/rest/reference/pulls#create-a-pull-request"}.
  node:internal/errors:841
    const err = new Error(message);

This is weird as I have the following settings for the fine-grained PAT specified for my personal winget fork:

Curious as to why it's failing there.

The changelog (https://github.blog/changelog/2023-04-27-graphql-improvements-for-fine-grained-pats-and-github-apps) states that the resource owner of the token, and the resource owner of the resource being accessed should match exactly.

In the case of the action, we are opening a PR on a repo (winget-pkgs), owned by an organization (microsoft), which is not set as the resource owner of the token. This is why, opening a PR using a fine-grained personal access token results in a failed API response, because the resource owner of the token is the maintainer ("us") and is trying to access the resource that falls under a different resource owner.

To create a PR using a fine-grained personal access token successfully, we need to create a token with the resource owner as "microsoft", and for it, we first, need to be a member of the microsoft organization.

Thus, we will have to continue using the classic personal access token for the action.

This should be closed as "not planned" instead of completed.