CI: GITHUB_TOKEN to fix vscode-ripgrep downloading issues

[DeeDeeG]

Requirements for Contributing a Bug Fix (from template)

Requirements for Contributing a Bug Fix

• Fill out the template below. Any pull request that does not include enough information to be reviewed in a timely manner may be closed at the maintainers' discretion.
• The pull request must only fix an existing bug. To contribute other changes, you must use a different template. You can see all templates at https://github.com/atom/.github/tree/master/.github/PULL_REQUEST_TEMPLATE.
• The pull request must update the test suite to demonstrate the changed functionality. For guidance, please see https://flight-manual.atom.io/hacking-atom/sections/writing-specs/.
• After you create the pull request, all status checks must be pass before a maintainer reviews your contribution. For more details, please see https://github.com/atom/.github/tree/master/CONTRIBUTING.md#pull-requests.

Identify the Bug

#1 (comment) (bug)

#1 (comment) (explanation)

Description of the Change

Pass the GITHUB_TOKEN env var through to the bootstrap script step of CI.

Given that we have set this as a secret variable in Azure DevOps UI, the variable will not be passed through to - script steps in the Azure DevOps CI unless we explicitly pass it with the - env yaml key.

More context, and thoughts on how upstream may be handling this (click to expand):

(I noticed some time ago that the configs use this variable GITHUB_TOKEN in several places, but I was recently surprised to find it is not used here, at least not the way a secret variable would need to be used.

I can only infer that Upstream has a GITHUB_TOKEN that isn't set as secret, or they would theoretically be seeing this issue as well.)

Alternate Designs

• We could set GITHUB_TOKEN as a regular (not secret) variable in Azure DevOps UI, but the personal tokens are arguably somewhat sensitive, so this isn't recommended.

More thoughts on whether Personal Access Tokens are sensitive or not (click to expand):

A properly configured Personal Access Token is capable of accessing the API on your behalf, such as for read-only access to information on GitHub. But by default, Personal Access Tokens are apparently not authorized to update your repos, or do anything else destructive. Still, keeping the token secret is in line with guidance from GitHub, and just seems prudent. Maybe an exploit will be discovered, which could allowing Personal Access Tokens to have more authority to make destructive changes than they are supposed to be able to have. In any case, having the access token be a secret variable seems sensible to me.

Possible Drawbacks

None that I am aware of.

Verification Process

I have been using this in my CI runs lately, and I don't think I've observed the "failure to download ripgrep" error with this set up properly.

Release Notes

N/A

[DeeDeeG]

Without this (860513e) on master, I am blocked from working on anything. My CI runs won't bootstrap on macOS and have little chance of passing.

Please allow this on master, and either rebase your work on top, or merge the commit in to the various branches you are working on.

I am happy to add it to master myself, but as this would cause merge conflicts, I am consulting you about it first.