use github token env var if present when fetching org id (#19244)

builtin/credential/github/path_config_test.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"strings"
 	"testing"
 
@@ -120,6 +121,43 @@ func TestGitHub_WriteReadConfig_OrgID(t *testing.T) {
 	assert.Equal(t, "foo-org", resp.Data["organization"])
 }
 
+// TestGitHub_WriteReadConfig_Token tests that we can successfully read and
+// write the github auth config with a token environment variable
+func TestGitHub_WriteReadConfig_Token(t *testing.T) {
+	b, s := createBackendWithStorage(t)
+	// use a test server to return our mock GH org info
+	ts := setupTestServer(t)
+	defer ts.Close()
+
+	err := os.Setenv("VAULT_AUTH_CONFIG_GITHUB_TOKEN", "foobar")
+	assert.NoError(t, err)
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Path:      "config",
+		Operation: logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"organization": "foo-org",
+			"base_url":     ts.URL, // base_url will call the test server
+		},
+		Storage: s,
+	})
+	assert.NoError(t, err)
+	assert.Nil(t, resp)
+	assert.NoError(t, resp.Error())
+
+	// Read the config
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Path:      "config",
+		Operation: logical.ReadOperation,
+		Storage:   s,
+	})
+	assert.NoError(t, err)
+	assert.NoError(t, resp.Error())
+
+	// the token should not be returned in the read config response.
+	assert.Nil(t, resp.Data["token"])
+}
+
 // TestGitHub_ErrorNoOrgID tests that an error is returned when we cannot fetch
 // the org ID for the given org name
 func TestGitHub_ErrorNoOrgID(t *testing.T) {