Use Sonatype Guide PAT for OSS Index audit

Ported from open-telemetry/opentelemetry-java-instrumentation#18515

Author: trask

.github/repository-settings.md

@@ -10,8 +10,7 @@ private admin repo.
 
 - `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
 - `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
-- `SONATYPE_OSS_INDEX_USER` - owned by [@jack-berg](https://github.com/jack-berg)
-- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@jack-berg](https://github.com/jack-berg)
+- `SONATYPE_GUIDE_PAT` - owned by [@jack-berg](https://github.com/jack-berg)
 - `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
 - `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
 

.github/workflows/oss-index-audit-daily.yml

@@ -29,8 +29,7 @@ jobs:
         id: audit
         continue-on-error: true
         env:
-          SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }}
-          SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }}
+          SONATYPE_GUIDE_PAT: ${{ secrets.SONATYPE_GUIDE_PAT }}
           DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
       - name: Print vulnerability report

buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts

@@ -49,8 +49,9 @@ checkstyle {
 }
 
 ossIndexAudit {
-  username = System.getenv("SONATYPE_OSS_INDEX_USER") ?: ""
-  password = System.getenv("SONATYPE_OSS_INDEX_PASSWORD") ?: ""
+  // Guide PAT authentication ignores this, but the scan plugin requires it.
+  username = "unused"
+  password = System.getenv("SONATYPE_GUIDE_PAT") ?: ""
   outputFormat = org.sonatype.gradle.plugins.scan.ossindex.OutputFormat.JSON_CYCLONE_DX_1_4
   isPrintBanner = false
 }