github: stop cross-host redirects to prevent bearer token leakage

[evilgensec]

WithAuthToken wraps the Transport with a RoundTripper that unconditionally
injects Authorization: Bearer TOKEN on every RoundTrip call, including
intermediate calls that http.Client makes when following redirects.
Go's http.Client strips the Authorization header before building a
cross-host redirect request, but the wrapped Transport immediately
re-adds it, forwarding the token to every host in the redirect chain.

The GitHub API redirects certain endpoints to different hosts. Repository
archive downloads are redirected to codeload.github.com and release
asset downloads are redirected to objects.githubusercontent.com. Any
application that calls an endpoint that redirects cross-host, or that
accepts user-provided URLs, will leak its GitHub token to the redirect
destination.

Fix: add a CheckRedirect hook in WithAuthToken that returns
http.ErrUseLastResponse when the redirect target host differs from the
initial request host. This surfaces the 3xx to the caller instead of
following it, preventing token injection into cross-host requests. The
hook composes correctly with any CheckRedirect already set on the
underlying http.Client.

Same-host redirects continue to work as before.

New tests:

• cross-host redirect does not leak token: verifies 302 is returned and
  the redirect destination does not receive the Authorization header.
• same-host redirect is followed: verifies backward compatibility for
  same-host redirects.

Fixes #4190

[gmlewis]

@evilgensec - I believe this issue was already resolved by #4171.
cc: @mohammadmseet-hue - do you agree?

[codecov]

Codecov Report

❌ Patch coverage is 62.50000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.70%. Comparing base (6c643b8) to head (f0e8282).

Files with missing lines	Patch %	Lines
github/github.go	62.50%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4189      +/-   ##
==========================================
- Coverage   93.71%   93.70%   -0.02%     
==========================================
  Files         209      209              
  Lines       19770    19778       +8     
==========================================
+ Hits        18527    18532       +5     
- Misses       1046     1048       +2     
- Partials      197      198       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[evilgensec]

Confirmed duplicate of #4171 — closing. Thanks for the pointer!