feat: update docs for fine-grained-access tokens

bahrmichael · bahrmichael · commit b9238964f24b · 2025-03-11T14:23:14.000+01:00
diff --git a/docs/batch-changes/configuring-credentials.mdx b/docs/batch-changes/configuring-credentials.mdx
@@ -101,13 +101,71 @@ Let's learn how you can do it for different code hosts.
 
 ### GitHub
 
-On GitHub.com, [create a personal access token (classic) with the correct scopes](https://github.com/settings/tokens/new?scopes=repo,read:org,user:email,read:discussion,workflow).
+On GitHub.com, create a personal access token or fine-grained access token with the correct scopes.
 
 The `workflow` scope is technically only required if your batch changes modify files in the `.github` directory of a repository. Still, it's recommended to enable it regardless to avoid confusing errors at a later time.
 
 When working with organizations that have SAML SSO (Single Sign On) enabled, configuring credentials requires an additional step that [involves white-listing the token for use in that organization](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on).
 
-<Callout type="info">At present, only classic personal access tokens (PATs) are supported. Alternative token types like OAuth access tokens (e.g., OAuth apps), and fine-grained personal access tokens (PATv2) are not supported.</Callout>
+<Callout type="info">At present, only classic and fine-grained access tokens are supported. Alternative token types like OAuth access tokens (e.g. OAuth apps) are not supported.</Callout>
+
+#### Personal Access Token
+
+Personal access tokens will have access to all repositories that you have access to.
+
+[Click here to prefill the form](https://github.com/settings/tokens/new?scopes=repo,read:org,user:email,read:discussion,workflow).
+
+Required Scopes:
+- `repo`
+- `read:org`
+- `user:email`
+- `read:discussion`
+- `workflow`
+
+#### Fine-Grained Access Token
+
+Fine-grained access tokens allow more granular control of what actions can be performed for a given set of repositories. Most notably, fine-grained access tokens don't grant access by default to all repositories that you have access to.
+
+In contrast to personal access tokens, fine-grained access tokens for organization resources may be restricted, may have an expiration, and may require approval.
+
+**Restriction**: If an administrator of your GitHub organization has restricted access via fine-grained access tokens, you may not be able to use them for Batch Changes.
+
+**Expiration**: If your organization has configured fine-grained access tokens to have maximum lifetimes, you may need to recreate the token when it has expired.
+
+**Approval**: If your organization has configured fine-grained access tokens to require approval, you may need to wait for an administrator to approve the token before you can use it with Batch Changes.
+
+Start by navigating to the form for creating a [new fine-grained access token](https://github.com/settings/personal-access-tokens/new).
+
+Pick the resource owner that owns the repositories you want to use with Batch Changes. This will most likely be your company's GitHub organization.
+
+PICTURE
+
+Scroll down and select "All repositories" so that your token can access all current and future repositories that you have access to. You may restrict it to "Only select repositories", but may have to generate a new token when you want to handle a new repository with Batch Changes.
+
+PICTURE
+
+Under "Permissions" click on the arrows on the right-hand side to expand the list for repository and organization permissions.
+
+PICTURE
+
+Under "Repository permissions", select the following permissions:
+- Commit statuses: Read-only
+- Contents: Read and write
+- Discussions: Read-only
+- Metadata: Read-only
+- Pull requests: Read and write
+- Workflows: Read and write
+
+Under "Organization permissions", select the following permissions:
+- Custom properties: Read-only
+
+Once you created the token, copy it and add it to your Batch Changes credentials.
+
+If your organization requires approval for fine-grained access tokens, you need to wait for an administrator to approve the token.
+
+PICTURE
+
+TODO: Rest of text
 
 ### GitHub Enterprise
 
@@ -129,7 +187,7 @@ When working with organizations that have SAML SSO (Single Sign On) enabled, con
 
 <Callout type="warning">Currently, for customers on an instance of GitHub Enterprise Cloud that uses [SSH certificate authorities](https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities) and requires SSH certificates to authenticate, we are unable to provide a means of authenticating Batch Changes to your code host.</Callout>
 
-<Callout type="info">At present, only classic personal access tokens (PATs) are supported. Alternative token types like OAuth access tokens (e.g. OAuth apps), and fine-grained personal access tokens (PATv2) are not supported.</Callout>
+<Callout type="info">At present, only classic personal and fine-grained access tokens are supported. Alternative token types like OAuth access tokens (e.g. OAuth apps) are not supported.</Callout>
 
 ### GitLab
 
@@ -239,4 +297,4 @@ To remove a GitHub app from your Sourcegraph instance, navigate back to the same
   <source src="https://sourcegraphstatic.com/docs/videos/batch_changes/2024/batches-github-app-delete.mp4" type="video/mp4" />
 </video>
 
-If you want to delete the GitHub app entirely you have to navigate to [GitHub's list of applications](https://github.com/settings/apps/), and delete it from there.
+If you want to delete the GitHub app entirely you have to navigate to [GitHub's list of applications](https://github.com/settings/apps/), and delete it from there.
