[Auth] Take google colab token from env first

[Wauplin]

Originally from @xenova on slack (internal):

Raising as potential unexpected behaviour. The team were making model changes via colab, and even though they logged in, it seemed to have picked the colab secret instead.

This PR fixes this. If a user runs login in a Colab (saves the token in a local file) or sets an env variable, it should take precedence over the Colab's vault.

---

Note

Medium Risk
Changes authentication precedence in Google Colab, which can alter which HF account is used for hub requests when multiple token sources exist.

Overview
Reorders HF token resolution in Colab so explicit user credentials win over the notebook secrets vault.

get_token() now checks HF_TOKEN / HUGGING_FACE_HUB_TOKEN, then the on-disk token file (e.g. after login()), and only then Google Colab’s HF_TOKEN secret. Previously Colab’s vault was consulted first, which could override a token the user had just saved via login() or set in the environment.

^{Reviewed by Cursor Bugbot for commit e3e2a9b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[julien-c]

kinda makes sense

[bot-ci-comment]

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

[huggingface-hub-bot]

This PR has been shipped as part of the v1.19.0 release.