Detect and warn about conflicting Github Tokens

[aunovis-heidrich]

Is your feature request related to a problem? Please describe.
I kept on receiving the 401 Bad credentials HTTP Code when trying to use scorecard, even though I had exported the GITHUB_TOKEN env var with a fresh PAT. A curl request with the PAT worked fine. Only when I started debugging accessor.go did it dawn to me that somewhere on my machine an expired PAT was exported to GITHUB_AUTH_TOKEN. Scorecard currently uses the first env var that exists, so it ignored my correct PAT and went with the expired one.

Describe the solution you'd like
I would like to check all possible names of env variables and print a warning message if their values conflict.

Describe alternatives you've considered

• The maximum comfort solution would be to read and try all values until GitHub responds with OK, but I think a warning is a cleaner solution than hiding a somewhat broken environment from the user.
• You could also ignore this request, but it did take me quite some time to figure out the issue. A warning would have significantly sped up the investigation.

Additional context
If you agree I am willing to implement this as a PR. I am expecting maybe 50 lines of productive code and 50 lines of testcode.

[spencerschrock]

Thanks for the report, and wanting to save others from the pain.

I would like to check all possible names of env variables and print a warning message if their values conflict.

Would this be only when receiving auth issues (e.g 401)? Or in general?