What happens to previous PATs after org level personal-access-tokens-onboarding?

[yeongrokgim]

Select Topic Area

Question

Body

Somewhat related topic

Background

I was using machine user's classic PAT to fetch organization repositories., as suggested by docs, paying extra 1 seat for automation.

• https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys#machine-users

Now I need to trigger CI workflow on push, made by bot, which requires GITHUB_TOKEN from other than repositories.

• https://github.com/orgs/community/discussions/55906
• https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow:~:text=When%20you%20use%20the%20repository%27s%20GITHUB_TOKEN%20to%20perform%20tasks%2C%20events%20triggered%20by%20the%20GITHUB_TOKEN%2C%20with%20the%20exception%20of%20workflow_dispatch%20and%20repository_dispatch%2C%20will%20not%20create%20a%20new%20workflow%20run.

To minimize security concern, least privilege policy should be used. Now it seems GitHub encourages fine-grained token, so I tried to enable org member (machine user) to create fine-grained PAT to access repo, preferably only allowing triggering CI.

Then I encountered this.

This page should describe consequences of the change. Also should warn users to reconfigure/migrate classic PATs that made from machine users, if later radio button disables it.

So, the question is,

• Does selection Restrict access via personal access tokens (classic) immediatly blocks classic PATs that have been created and used by machine users?
• Does selection Allow access via personal access tokens (classic) revokes org access from member's PAT? or everything should be working as-is even after this selection?

If possible, please update above page to improve org customers understanding on permissions.