✨ Add more github token names for env variable (#694)

* draft

* commit 1

* dead code

* comments

* merge fix

* typo

README.md

@@ -233,7 +233,7 @@ For example, `--checks=CI-Tests,Code-Review`.
 Before running Scorecard, you need to, either:
 
 -   [create a GitHub access token](https://docs.github.com/en/free-pro-team@latest/developers/apps/about-apps#personal-access-tokens)
-    and set it in environment variable `GITHUB_AUTH_TOKEN`. This helps to avoid
+    and set it in an environment variable called `GITHUB_AUTH_TOKEN`, `GITHUB_TOKEN`, `GH_AUTH_TOKEN` or `GH_TOKEN`. This helps to avoid
     the GitHub's
     [api rate limits](https://developer.github.com/v3/#rate-limiting) with
     unauthenticated requests.
@@ -241,14 +241,15 @@ Before running Scorecard, you need to, either:
 ```shell
 # For posix platforms, e.g. linux, mac:
 export GITHUB_AUTH_TOKEN=<your access token>
+# Multiple tokens can be provided separated by comma to be utilized
+# in a round robin fashion.
+export GITHUB_AUTH_TOKEN=<your access token1>,<your access token2>
 
 # For windows:
 set GITHUB_AUTH_TOKEN=<your access token>
+set GITHUB_AUTH_TOKEN=<your access token1>,<your access token2>
 ```
 
-Multiple `GITHUB_AUTH_TOKEN` can be provided separated by comma to be utilized
-in a round robin fashion.
-
 -   create a GitHub App Installations for higher rate-limit quotas. If you have
     an installed GitHub App and key file, you can use these three environment
     variables, following the commands shown above for your platform.

cmd/root.go

@@ -67,10 +67,6 @@ or ./scorecard --{npm,pypi,rubgems}=<package_name> [--checks=check1,...] [--show
 	Short: "Security Scorecards",
 	Long:  "A program that shows security scorecard for an open source software.",
 	Run: func(cmd *cobra.Command, args []string) {
-		if token, exists := os.LookupEnv("GITHUB_AUTH_TOKEN"); !exists || token == "" {
-			log.Fatalf("GITHUB_AUTH_TOKEN env var is not set. Please set this to your Github PAT before running this command.")
-		}
-
 		cfg := zap.NewProductionConfig()
 		cfg.Level.SetLevel(*logLevel)
 		logger, err := cfg.Build()

roundtripper/roundtripper.go

@@ -28,9 +28,11 @@ import (
 	"github.com/ossf/scorecard/clients/githubrepo"
 )
 
+// GithubAuthTokens are for making requests to GiHub's API.
+var GithubAuthTokens = []string{"GITHUB_AUTH_TOKEN", "GITHUB_TOKEN", "GH_TOKEN", "GH_AUTH_TOKEN"}
+
 const (
-	// GithubAuthToken is for making requests to GiHub's API.
-	GithubAuthToken = "GITHUB_AUTH_TOKEN" // #nosec G101
+
 	// GithubAppKeyPath is the path to file for GitHub App key.
 	GithubAppKeyPath = "GITHUB_APP_KEY_PATH"
 	// GithubAppID is the app ID for the GitHub App.
@@ -39,11 +41,21 @@ const (
 	GithubAppInstallationID = "GITHUB_APP_INSTALLATION_ID"
 )
 
+func readGitHubTokens() (string, bool) {
+	for _, name := range GithubAuthTokens {
+		if token, exists := os.LookupEnv(name); exists && token != "" {
+			return token, exists
+		}
+	}
+	return "", false
+}
+
 // NewTransport returns a configured http.Transport for use with GitHub.
 func NewTransport(ctx context.Context, logger *zap.SugaredLogger) http.RoundTripper {
 	transport := http.DefaultTransport
 
-	if token := os.Getenv(GithubAuthToken); token != "" {
+	// nolint
+	if token, exists := readGitHubTokens(); exists {
 		// Use GitHub PAT
 		transport = githubrepo.MakeGitHubTransport(transport, strings.Split(token, ","))
 	} else if keyPath := os.Getenv(GithubAppKeyPath); keyPath != "" { // Also try a GITHUB_APP
@@ -59,6 +71,9 @@ func NewTransport(ctx context.Context, logger *zap.SugaredLogger) http.RoundTrip
 		if err != nil {
 			log.Panic(err)
 		}
+	} else {
+		log.Fatalf("GitHub token env var is not set. " +
+			"Please read https://github.com/ossf/scorecard#authentication")
 	}
 
 	return MakeCensusTransport(MakeRateLimitedTransport(transport, logger))