Use basic auth for GitHub rather than query parameters

[cjwatson]

We've been getting emails like this to build.snapcraft.io's service address:

Hi @build-snapcraft-io,

On February 6th, 2020 at 21:33 (UTC) your application (Snapcraft) used its `client_id` and `client_secret` (with the User-Agent SnapcraftBuild) as part of a set of query parameters to access an endpoint through the GitHub API:

https://api.github.com/repositories/155483798/contents/snap/snapcraft.yaml

Please use Basic Authentication instead as using OAuth credentials in query parameters has been deprecated.

Depending on your API usage, we'll be sending you this email reminder at most once every 3 days.
Just one URL that was accessed with a User-Agent combination will be listed in the email reminder, not all.

Visit https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters for more information.

Thanks,
The GitHub Team

See src/server/helpers/github.js: we use this approach in a few places where user auth isn't available and we have to use service auth. https://developer.github.com/v3/auth/#via-oauth-and-personal-access-tokens describes an approach to using OAuth access tokens via basic auth, but I haven't tested whether the same sort of approach works for OAuth application authentication rather than OAuth user authentication (can the client_id be used as a username?). This needs testing.

(We also pass client_id and client_secret as query parameters in src/server/handlers/github-auth.js, but note that this does not seem to be what the GitHub deprecation is talking about; that's part of the OAuth web flow, and those parameters are documented as required in that context.)