Add the ability to use custom PAT for list-advisories command

[mbarbero]

Currently, the list-advisories command relies on the standard mechanism of using the project's admin bot PAT to fetch the security advisories on the project's org.

It means that, for executing this command, a CLI user must have access to the pass repository. Given that security managers have access to those advisories, it would be interesting to let them be able to use their own PAT on the [list-advisories] command. The access to the pass repo would not be required anymore.

An alternative, short term solution is to change locally the configuration file and set it to a path to a PAT (classic, with repo scope only) in a custom local pass repository. I just tested that, and it works:

$ mkdir /tmp/test-otterdog
$ cd /tmp/test-otterdog
$ curl -JOL https://github.com/EclipseFdn/otterdog-configs/raw/refs/heads/main/otterdog.json
$ vi otterdog.json # edit api_token_pattern, changed to "otterdog-advisories-pat"
$ mkdir /tmp/my-pass
$ export PASSWORD_STORE_DIR=/tmp/pass
$ pass init <[email protected]>
$ pass insert otterdog-advisories-pat <YOUR_TOKEN>
$ otterdog list-advisories
organization,created_at,updated_at,published_at,state,severity,ghsa_id,cve_id,html_url,summary
...

[netomi]

btw there is a way to override the settings in the otterdog.json.

Put a file .otterdog-defaults.json into the directory, and you can override some settings. Here is an example to override the password_store_dir:

{
  "pass": {
    "password_store_dir": "/home/tn/workspace/eclipse/pass/cbi-pass/"
  },
  "jsonnet": {
    "config_dir": "orgs"
  }
}