Use externalRepoAuth when getting a remote config

This allows users to specify a different token for retrieving the
codeql config from a different repository.

Fixes https://github.com/github/advanced-security-field/issues/185

lib/api-client.js

@@ -20,11 +20,12 @@ var DisallowedAPIVersionReason;
     DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_OLD"] = 0] = "ACTION_TOO_OLD";
     DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_NEW"] = 1] = "ACTION_TOO_NEW";
 })(DisallowedAPIVersionReason = exports.DisallowedAPIVersionReason || (exports.DisallowedAPIVersionReason = {}));
-exports.getApiClient = function (apiDetails, allowLocalRun = false) {
+exports.getApiClient = function (apiDetails, { allowLocalRun = false, allowExternal = false } = {}) {
     if (util_1.isLocalRun() && !allowLocalRun) {
         throw new Error("Invalid API call in local run");
     }
-    return new githubUtils.GitHub(githubUtils.getOctokitOptions(apiDetails.auth, {
+    const auth = (allowExternal && apiDetails.externalRepoAuth) || apiDetails.auth;
+    return new githubUtils.GitHub(githubUtils.getOctokitOptions(auth, {
         baseUrl: getApiUrl(apiDetails.url),
         userAgent: "CodeQL Action",
         log: console_log_level_1.default({ level: "debug" }),
@@ -49,7 +50,7 @@ function getActionsApiClient(allowLocalRun = false) {
         auth: actions_util_1.getRequiredInput("token"),
         url: actions_util_1.getRequiredEnvParam("GITHUB_SERVER_URL"),
     };
-    return exports.getApiClient(apiDetails, allowLocalRun);
+    return exports.getApiClient(apiDetails, { allowLocalRun });
 }
 exports.getActionsApiClient = getActionsApiClient;
 //# sourceMappingURL=api-client.js.map