Improve use of github token (#1769)

* Add new dep zeroize

* Use Zeroizing to avoid leaking the token

* Optimize gh-auth-token

Spawn it as a task, and only await it
when using GhApiClient

* Fix binstalk-git-repo-api unit tests

crates/bin/src/args.rs

@@ -15,11 +15,11 @@ use binstalk::{
 };
 use clap::{error::ErrorKind, CommandFactory, Parser, ValueEnum};
 use compact_str::CompactString;
-
 use log::LevelFilter;
 use semver::VersionReq;
 use strum::EnumCount;
 use strum_macros::EnumCount;
+use zeroize::Zeroizing;
 
 #[derive(Debug, Parser)]
 #[clap(
@@ -308,7 +308,7 @@ pub struct Args {
     /// token from `$HOME/.git-credentials` or `$HOME/.config/gh/hosts.yml`
     /// unless `--no-discover-github-token` is specified.
     #[clap(help_heading = "Options", long, env = "GITHUB_TOKEN")]
-    pub(crate) github_token: Option<CompactString>,
+    pub(crate) github_token: Option<GithubToken>,
 
     /// Only install packages that are signed
     ///
@@ -365,6 +365,15 @@ pub struct Args {
     pub(crate) quiet: bool,
 }
 
+#[derive(Debug, Clone)]
+pub(crate) struct GithubToken(pub(crate) Zeroizing<Box<str>>);
+
+impl From<&str> for GithubToken {
+    fn from(s: &str) -> Self {
+        Self(Zeroizing::new(s.into()))
+    }
+}
+
 #[derive(Debug, Copy, Clone, ValueEnum)]
 pub(crate) enum TLSVersion {
     #[clap(name = "1.2")]
@@ -575,7 +584,7 @@ You cannot use --{option} and specify multiple packages at the same time. Do one
 
     if opts.github_token.is_none() {
         if let Ok(github_token) = env::var("GH_TOKEN") {
-            opts.github_token = Some(github_token.into());
+            opts.github_token = Some(GithubToken(Zeroizing::new(github_token.into())));
         }
     }