cmd/installer: Cleanups (2/n)

[justaugustus]

Continuation of #301.
Part of #52 and #765.

• go.mod: Update to github.com/google/go-github/v46
• install/github: Comment out GitHub client code
• install/github: Use scorecard roundtripper for authentication
• install/github: Restore commented-out code
• Fix lint warnings
• install: Skip workflow creation if file already exists
• install: Don't block PR creation if the workflow file does not exist
• install/github: Reference pull request link in log message
• install: Parameterize method inputs
• install: Improve pull request description
• Move repo installation tool to cmd/ directory
• cmd/installer: Update installation instructions
• install: Improve log messages
• install: Restructure Run() function to reduce cognitive complexity
• install/github: Add functions for generating GitHub API options

Signed-off-by: Stephen Augustus foo@auggie.dev

[codecov]

Codecov Report

Merging #833 (a75835f) into main (2693af3) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #833   +/-   ##
=======================================
  Coverage   64.10%   64.10%           
=======================================
  Files           4        4           
  Lines         234      234           
=======================================
  Hits          150      150           
  Misses         72       72           
  Partials       12       12           

Impacted Files	Coverage Δ
cmd/installer/main.go	0.00% <ø> (ø)
signing/signing.go	34.48% <ø> (ø)

[justaugustus]

Here's what an installer run looks like in de6c4cd:

❯ GITHUB_TOKEN=$(cat ~/.github-token) go run cmd/installer/main.go --owner uwu-tools
2022/08/22 04:46:21 No repositories provided. Fetching all repositories under organization.
2022/08/22 04:46:21 getting repo metadata for go-ghcrawl
2022/08/22 04:46:21 checking for scorecard workflow file (.github/workflows/scorecards.yml)
2022/08/22 04:46:22 checking for scorecard workflow file (.github/workflows/scorecards-analysis.yml)
2022/08/22 04:46:22 could not find a scorecard workflow file: getting repo content: GET https://api.github.com/repos/uwu-tools/go-ghcrawl/contents/.github/workflows/scorecards-analysis.yml: 404 Not Found []
2022/08/22 04:46:24 successfully created PR #6 for repository go-ghcrawl: https://github.com/uwu-tools/go-ghcrawl/pull/6
2022/08/22 04:46:24 finished processing repository go-ghcrawl
2022/08/22 04:46:24 getting repo metadata for k-release
2022/08/22 04:46:24 checking for scorecard workflow file (.github/workflows/scorecards.yml)
2022/08/22 04:46:24 checking for scorecard workflow file (.github/workflows/scorecards-analysis.yml)
2022/08/22 04:46:24 skipping repo (k-release) since scorecard workflow already exists: .github/workflows/scorecards-analysis.yml
2022/08/22 04:46:24 finished processing repository k-release

And here's what an example pull request looks like: uwu-tools/go-ghcrawl#6

[justaugustus]

@ossf/scorecard-maintainers - These updates to the GitHub Action installation tool are ready for review!

In the next batch of updates, I'd like to combine the following GitHub clients:

• https://github.com/ossf/scorecard-action/blob/main/github/github.go
• https://github.com/ossf/scorecard-action/blob/main/install/github/github.go

We currently have the following comment in code:

// ParseFromURL is a function to get the repository information.
// It is decided to not use the golang GitHub library because of the
// dependency on the github.com/google/go-github/github library
// which will in turn require other dependencies.

...but as we've introduced the go-github library to support the installer tool, it makes sense to deduplicate common code paths.

As part of that deduplication, I'll be able to mock the GitHub client and write a few tests for previously uncovered code paths.