Add HAB_AUTH_TOKEN support to automate-container-scan action

[peter-at-progress]

Description

Adds Habitat Builder authentication support to the automate-container-scan composite action to enable scanning of protected Habitat channels (e.g., dev).

Problem

The dev channel automate container scan workflow began failing on April 22, 2026 with 401 Unauthorized errors when attempting to download Habitat packages during Chef Automate deployment:

Error: failed to install package "chef/automate-es-gateway/0.1.0/20260421182556"
↓ Downloading core/libedit/20250104-3.1/20250627184159 for x86_64-linux
✗✗✗ Last error: [401 Unauthorized] 
✗✗✗ Please check that you have specified a valid Personal Access Token.

This appears to be new behavior where dev channel Habitat packages now require authentication, while current channel packages remain publicly accessible.

Solution

1. Added hab_auth_token input parameter to the action definition
2. Configured Habitat authentication by writing the token to /hab/etc/cli.toml before Chef Automate deployment
   • This ensures the token persists for all Habitat processes, including those spawned by systemd
   • Initial approach using docker exec -e HAB_AUTH_TOKEN didn't work because systemd services don't inherit environment variables
3. Updated documentation with usage examples and notes about when the token is required

Changes

• .github/actions/automate-container-scan/action.yml - Added hab_auth_token input and environment variable
• .github/actions/automate-container-scan/run.sh - Configure token in Habitat CLI config before deployment
• .github/actions/automate-container-scan/README.md - Document new parameter and usage

Backward Compatibility

✅ Fully backward compatible - channels that don't require authentication continue to work without the token parameter.

Related Issue

This fixes the automate-grype-scan workflow failure discovered on April 22, 2026 when the dev channel job failed while current succeeded. This appears to be a new authentication requirement for the dev channel Habitat packages.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

• I have read the CONTRIBUTING document.
• I have run the pre-merge tests locally and they pass.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• If Gemfile.lock has changed, I have used --conservative to do it and included the full output in the Description above.
• All new and existing tests passed.
• All commits have been signed-off for the Developer Certificate of Origin.

Testing

Tested with both channels in the automate-grype-scan workflow:

• ✅ current channel: Continues to work (backward compatible, no token required)
• ✅ dev channel: Now successfully deploys and scans with HAB_AUTH_TOKEN provided

Notes

The HAB_AUTH_TOKEN secret was already configured in the repository for existing Habitat package scanning workflows, so no additional secret setup is needed for users of this action.

[peter-at-progress]

@brianLoomis @sean-sype-simmons Could you review this HAB_AUTH_TOKEN fix? The dev channel automate scans started failing this morning with 401 errors due to new authentication requirements. This PR adds token support while maintaining backward compatibility. Thanks!