Is your feature request related to a problem? Please describe.
Follow-up to PR #2815 (review comment).
Before PR #2815, NewScorecardCertifier acted as a configuration validator: if
GITHUB_AUTH_TOKEN was unset, construction failed loudly at init. PR #2815
changed this to a warning so the API-only path (which doesn't need the token)
can be used without forcing callers to set a token. This is a subtle behavior change for existing callers.
Describe the solution you'd like
Consider restoring fail-fast as the default with an explicit opt-in.
Add a functional option like WithAPIOnly() (or equivalent) that callers
pass when they knowingly want the API-only path. Without the opt-in,
NewScorecardCertifier would return an error when GITHUB_AUTH_TOKEN is
unset, matching the original contract and preserving the config-validation
guarantee that some operators depended on.
Is your feature request related to a problem? Please describe.
Follow-up to PR #2815 (review comment).
Before PR #2815,
NewScorecardCertifieracted as a configuration validator: ifGITHUB_AUTH_TOKENwas unset, construction failed loudly at init. PR #2815changed this to a warning so the API-only path (which doesn't need the token)
can be used without forcing callers to set a token. This is a subtle behavior change for existing callers.
Describe the solution you'd like
Consider restoring fail-fast as the default with an explicit opt-in.
Add a functional option like
WithAPIOnly()(or equivalent) that callerspass when they knowingly want the API-only path. Without the opt-in,
NewScorecardCertifierwould return an error whenGITHUB_AUTH_TOKENisunset, matching the original contract and preserving the config-validation
guarantee that some operators depended on.