GitHub's plan for a more secure NPM supply chain

An annoyingly big part of the issue is GitHub Access Tokens - to this day there are still features we like to use in GitHub but can't because GitHub hasn't made them work with fine-grained tokens.

They still need it still needs a Personal Access Tokens - but many organisations restrict them now, and even bypassing that, the PAT tokens are too broad in there permissions (github cli being one example)