From 82d710b6b51f619fa228b18b396f0e5e071c3ea7 Mon Sep 17 00:00:00 2001
From: Paul Querna <paul.querna@conductorone.com>
Date: Sun, 31 May 2026 15:34:34 +0000
Subject: [PATCH] nhi: emit STATIC_SECRET credential type for fine-grained PATs

Annotate the already-synced api-key resource (fine-grained personal
access token) with the NHI Phase-1 spine secret trait: credential type
STATIC_SECRET and detail github.token.pat.

Bumps baton-sdk to v0.11.0 for the WithSecretType/WithSecretDetail
helpers and the SecretTrait_CredentialType enum (interim; rebases after
the fleet bump).

Co-authored-by: c1-squire-dev[bot] <c1-squire-dev[bot]@users.noreply.github.com>
---
 pkg/connector/api_token.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/connector/api_token.go b/pkg/connector/api_token.go
index a1e5b46a..6525860e 100644
--- a/pkg/connector/api_token.go
+++ b/pkg/connector/api_token.go
@@ -15,6 +15,8 @@ func apiTokenResource(ctx context.Context, token *github.PersonalAccessToken) (*
 
 	options := []resourceSdk.SecretTraitOption{}
 	options = append(options,
+		resourceSdk.WithSecretType(v2.SecretTrait_CREDENTIAL_TYPE_STATIC_SECRET),
+		resourceSdk.WithSecretDetail("github.token.pat"),
 		resourceSdk.WithSecretCreatedByID(&v2.ResourceId{
 			ResourceType:  resourceTypeUser.Id,
 			Resource:      strconv.FormatInt(userId, 10),