Add a diagnostic job demonstrating the TokenOwner mechanism

Temporarily add a `diag-token` job to
`.github/workflows/cygwin-test.yml` that creates a directory through
four code paths and reports its NTFS Owner. The intent is to
empirically establish the cause of the Owner asymmetry that will be
described in detail by a later commit on this chain: a Cygwin or
Cygwin-derived runtime (`cygwin1.dll` for Cygwin git; `msys-2.0.dll`
loaded by Git for Windows's bundled MSYS2 `sh.exe`) rewrites the
process token's `TokenOwner` field at DLL initialization, and
`CreateProcessW` propagates that mutation to every descendant.

The four tests are:

| Test | Chain                                          | Predicted Owner          |
| ---- | ---------------------------------------------- | ------------------------ |
| A    | PowerShell `New-Item`                          | `BUILTIN\Administrators` |
| D    | Cygwin `mkdir`                                 | `runneradmin` (197108)   |
| F    | Cygwin bash -> Git for Windows `git init`      | `runneradmin` (197108)   |
| G    | PowerShell -> Git Bash -> PowerShell `New-Item`| `runneradmin` (197108)   |

A is the Win32 baseline. The kernel-default `TokenOwner` for
`runneradmin`'s full administrative token is `BUILTIN\Administrators`,
because `runneradmin` is the built-in local Administrator (RID 500) and
`FilterAdministratorToken=0` exempts it from UAC token filtering.

D is the Cygwin baseline. Cygwin's `cygheap_user::init` calls
`NtSetInformationToken(TokenOwner, &user_sid, ...)` at DLL init, and
the resulting Owner reflects the rewritten token.

F is the load-bearing case. The child is a Win32 binary that loads no
Cygwin runtime of its own. It produces a user-owned `.git`, proving
that the rewrite performed by the parent Cygwin bash propagates through
`CreateProcessW`'s token duplication to a Win32 descendant.

G strengthens the case: the first and last links are pure Win32 (a
fresh PowerShell using its own `New-Item` builtin), and only the middle
link is a Cygwin-family runtime (Git for Windows's bundled MSYS2
`bash.exe`, linked against `msys-2.0.dll`). The directory is still
user-owned, proving the mechanism does not depend on git, on
shell-dispatch via `git submodule`, or on any property of the
final-link binary -- only on whether *some* process in the ancestry
has loaded a Cygwin-family runtime.

This `diag-token` job, like the `reproduce-safe-dir` matrix added in
the previous commit, is temporary and should be removed before this
work is integrated.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: EliahKagan

.github/workflows/cygwin-test.yml

@@ -102,6 +102,73 @@ jobs:
       run: |
         pytest --color=yes -p no:sugar --instafail -vv ${{ matrix.additional-pytest-args }}
 
+  diag-token:
+    runs-on: windows-latest
+
+    env: *cygwin-env
+
+    defaults: *cygwin-defaults
+
+    steps:
+    - *force-lf
+    - *checkout
+    - *install-cygwin
+
+    - name: PowerShell-side token state and file-creation tests
+      shell: pwsh
+      run: |
+        $repo = "D:\a\GitPython\GitPython"
+        Write-Host "==================== whoami /all (PowerShell) ===================="
+        whoami /all
+        Write-Host ""
+        Write-Host "==================== Test A: PowerShell New-Item directory ===================="
+        $td = "$repo\test-pwsh-mkdir"
+        New-Item -ItemType Directory -Path $td -Force | Out-Null
+        $acl = Get-Acl -LiteralPath $td
+        Write-Host "Owner of $td : $($acl.Owner)"
+        Remove-Item $td -Force
+        Write-Host ""
+        Write-Host "==================== Test G: PowerShell -> Git Bash -> PowerShell New-Item ===================="
+        $td4 = "$repo\test-pwsh-bash-pwsh-mkdir"
+        $scriptPath = "$repo\inner-mkdir.ps1"
+        "New-Item -ItemType Directory -Path '$td4' -Force | Out-Null" |
+          Set-Content -Path $scriptPath -Encoding utf8
+        $env:MSYS2_ARG_CONV_EXCL = '*'
+        try {
+          & "C:\Program Files\Git\bin\bash.exe" -c "powershell.exe -NoProfile -ExecutionPolicy Bypass -File '$scriptPath'" 2>&1 | Out-Null
+        } finally {
+          Remove-Item Env:MSYS2_ARG_CONV_EXCL -ErrorAction SilentlyContinue
+        }
+        if (Test-Path -LiteralPath $td4) {
+          $acl = Get-Acl -LiteralPath $td4
+          Write-Host "Owner of $td4 (PowerShell -> bash -> PowerShell New-Item) : $($acl.Owner)"
+          Remove-Item $td4 -Force
+        } else {
+          Write-Host "Owner of $td4 (PowerShell -> bash -> PowerShell New-Item) : (directory not created)"
+        }
+        Remove-Item $scriptPath -Force -ErrorAction SilentlyContinue
+
+    - name: Cygwin-side token state and file-creation tests
+      run: |
+        set +e
+        echo "==================== id (Cygwin) ===================="
+        id
+        echo
+        echo "==================== Test D: Cygwin mkdir ===================="
+        td="$(pwd)/test-cygwin-mkdir"
+        mkdir "$td"
+        echo "Owner: $(stat -c '%U(%u)' "$td")"
+        rmdir "$td"
+        echo
+        echo "==================== Test F: Cygwin-spawned Git for Windows git init ===================="
+        td3="$(pwd)/test-cygwin-spawns-wingit"
+        mkdir "$td3"
+        ( cd "$td3" && /cygdrive/c/Program\ Files/Git/bin/git.exe init -q )
+        echo "Owner of $td3 (Cygwin-mkdir)             : $(stat -c '%U(%u)' "$td3")"
+        echo "Owner of $td3/.git (Cygwin->Win git init): $(stat -c '%U(%u)' "$td3/.git")"
+        rm -rf "$td3"
+        true
+
   reproduce-safe-dir:
     strategy:
       matrix: