feat: add secret helper

[mnkiefer]

Secret helper and tokens bootstrap command

• Add a gh aw secret set command that sets GitHub Actions repository secrets via the public‑key REST API using NaCl sealed‑box encryption, with no external secret helper dependencies.
• Adds golang.org/x/crypto to go.mod/go.sum to support NaCl sealed‑box encryption.
• Adds a GitHub Tokens reference/guide with:
  • A concise, scenario‑based quick‑start table, and
  • A Security and scopes section that recommends minimal PAT/App scopes and per‑workflow permissions: usage.
• Add a new gh aw tokens bootstrap command that inspects the current repo’s secrets via the GitHub CLI and prints which recommended gh‑aw token secrets are missing, when they’re needed, suggested scopes, and gh aw secret set commands to add them. The command is read‑only and does not create tokens or secrets itself.
• Always keeps all token consent and scope decisions with the user: they still create PATs in GitHub’s UI, with docs and CLI output pointing them to minimal, scenario‑specific scopes. This reduces token sprawl, clarifies exactly which secrets are needed when, and proactively flags missing or under‑scoped tokens so GitHub Agentic Workflows fail less often on permissions issues.

[Copilot]

Pull request overview

This PR introduces a token management system for GitHub Agentic Workflows, adding a new CLI command to help users bootstrap and validate their GitHub token secrets, along with an internal helper tool for programmatic secret management.

Key changes:

• New gh aw tokens bootstrap command that inspects repository secrets and provides guidance on missing tokens
• Internal ghsecret tool that sets GitHub Actions repository secrets using NaCl encryption
• Enhanced documentation with security best practices and least-privilege guidance

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
pkg/cli/tokens.go	New parent command for token-related utilities
pkg/cli/tokens_bootstrap.go	New bootstrap subcommand that checks and suggests token setup (missing cobra import)
internal/tools/ghsecret/main.go	Internal tool for setting repository secrets via GitHub API with NaCl encryption
go.mod	Added golang.org/x/crypto v0.36.0 dependency for NaCl encryption support
go.sum	Updated checksums for new crypto dependency
docs/src/content/docs/reference/tokens.md	Added quick start guide and security best practices for token configuration
cmd/gh-aw/main.go	Integrated new tokens command into CLI with setup group assignment

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mnkiefer]

@copilot fix lint issues

[Copilot]

@mnkiefer I've opened a new pull request, #6233, to work on those changes. Once the pull request is ready, I'll request review from you.

[mnkiefer]

@pelikhan: This PR attempts to tackle the user pain of figuring out the right GitHub token and permissions setup by standardizing how gh‑aw uses GITHUB_TOKEN and PATs, and by giving you a concrete token/permissions checklist instead of opaque trial‑and‑error.

[pelikhan]

• must work properly from a codespace with underprivileged token (graceful failure )

[pelikhan]

Why a separate tool? We typically have sub comments instead.

[pelikhan]

Aside from comments this is really good. Configuring tokens is the #1 source of friction.

I would like to see the token validation flow merged into the "init" command (init --tokens) and also the install.md should be smart about it.