Supply authorization parameter to toolcache.downloadTool()

Previously we supplied the authorization information via the 'headers'
parameter. This works fine, except in some cases when the request is
retried.

lib/setup-codeql.js

@@ -411,12 +411,13 @@ async function downloadCodeQL(codeqlURL, maybeCliVersion, apiDetails, variant, t
     // from the same GitHub instance the Action is running on.
     // This avoids leaking Enterprise tokens to dotcom.
     // We also don't want to send an authorization header if there's already a token provided in the URL.
+    let authorization = undefined;
     if (searchParams.has("token")) {
         logger.debug("CodeQL tools URL contains an authorization token.");
     }
     else if (codeqlURL.startsWith(`${apiDetails.url}/`)) {
         logger.debug("Providing an authorization token to download CodeQL tools.");
-        headers.authorization = `token ${apiDetails.auth}`;
+        authorization = `token ${apiDetails.auth}`;
     }
     else {
         logger.debug("Downloading CodeQL tools without an authorization token.");
@@ -425,7 +426,7 @@ async function downloadCodeQL(codeqlURL, maybeCliVersion, apiDetails, variant, t
     const dest = path.join(tempDir, (0, uuid_1.v4)());
     const finalHeaders = Object.assign({ "User-Agent": "CodeQL Action" }, headers);
     const toolsDownloadStart = perf_hooks_1.performance.now();
-    const codeqlPath = await toolcache.downloadTool(codeqlURL, dest, undefined, finalHeaders);
+    const codeqlPath = await toolcache.downloadTool(codeqlURL, dest, authorization, finalHeaders);
     const toolsDownloadDurationMs = Math.round(perf_hooks_1.performance.now() - toolsDownloadStart);
     logger.debug(`CodeQL bundle download to ${codeqlPath} complete.`);
     const codeqlExtracted = await toolcache.extractTar(codeqlPath);