Move GitHub access token from query parameter into header (#1261)

GitHub deprecated passing the access token in the URL. This change moves
it to the Authorization header, which is more secure and compliant with
GitHub's current API standards. It also adds a test file.

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: mhucka

dev_tools/prepared_env.py

@@ -97,14 +97,14 @@ def report_status_to_github(
         if target_url is not None:
             payload['target_url'] = target_url
 
-        url = "https://api.github.com/repos/{}/{}/statuses/{}?access_token={}".format(
-            self.repository.organization,
-            self.repository.name,
-            self.actual_commit_id,
-            self.repository.access_token,
+        if self.actual_commit_id is None:
+            return
+        url = "https://api.github.com/repos/{}/{}/statuses/{}".format(
+            self.repository.organization, self.repository.name, self.actual_commit_id
         )
+        headers = {'Authorization': 'Bearer {}'.format(self.repository.access_token)}
 
-        response = requests.post(url, json=payload)
+        response = requests.post(url, json=payload, headers=headers, timeout=30)
 
         if response.status_code != 201:
             raise IOError(

dev_tools/prepared_env_security_test.py

@@ -0,0 +1,38 @@
+import unittest
+from unittest.mock import patch, MagicMock
+from dev_tools.prepared_env import PreparedEnv
+from dev_tools.github_repository import GithubRepository
+
+
+class TestPreparedEnvSecurity(unittest.TestCase):
+    @patch('requests.post')
+    def test_report_status_to_github_token_in_header(self, mock_post):
+        # Setup
+        mock_response = MagicMock()
+        mock_response.status_code = 201
+        mock_post.return_value = mock_response
+
+        repo = GithubRepository('my-org', 'my-repo', 'my-token')
+        env = PreparedEnv(repo, 'my-commit', 'compare-commit', None, None)
+
+        # Execute
+        env.report_status_to_github('success', 'desc', 'ctx')
+
+        # Verify
+        args, kwargs = mock_post.call_args
+        url = args[0]
+        headers = kwargs.get('headers', {})
+
+        # Security check: Token should NOT be in the URL
+        self.assertNotIn('access_token=my-token', url, "Token should not be passed in the URL")
+
+        # Security check: Token should be in the Authorization header
+        self.assertEqual(
+            headers.get('Authorization'),
+            'Bearer my-token',
+            "Token should be passed in the Authorization header",
+        )
+
+
+if __name__ == '__main__':
+    unittest.main()