I have a noob question: what's the right way to use these tokens without password managers? I believe Github recommended assigning it as an environment variable in docs related to this deprecation, but isn't a (managed) server free to log the output of `echo $token`?
If there's a managed server you don't trust, it's unsafe to put anything that authenticates you to GitHub there, because it can (e.g.) modify the git command to push malicious code.
For a semi-trusted machine (e.g., you want to "git push" to work-related OSS from your work desktop, but you don't want your work HR/IT departments to have full access to your GitHub account if they decide they want it), make a new SSH key and configure it as a read/write deploy key for that one repo. This workflow is primarily intended for automation, but it's reasonable for this sort of interactive use as well.
One probably has to assume at least some level of control of any system where there's access to secrets where they're necessary for production processes.
But if you aren't confident of it, then at least that token only has access to a repository, and can't be exfiltrated to let somebody log in and really mess with your user account or your organization.
(All that said: I'd recommend a single-use, minimally privileged SSH key over an access token, just because that workflow's what you should be using on a desktop too.)
(It lets you login to GitHub in a popup browser window and then manages the access token for you. Stores the access token in a machine credential cache for subsequent calls on that machine.)
