fix(go-ci): replace persistent http.extraHeader with job-scoped GIT_CONFIG env vars

[devops-bda]

Problem

go-ci.yml's "Configure Git for private modules" step writes:

git config --global http."https://github.com/".extraHeader "Authorization: token ${GH_PAT}"

to the runner user's persistent ~/.gitconfig. On self-hosted runners this:

1. Survives after the job — actions/checkout@v4 later copies the polluted
   global config into its sandbox and adds its own extraHeader, producing
   remote: Duplicate header: "Authorization" / exit code 128 on checkout.
2. Doesn't satisfy git's credential pre-check at all — go mod download
   fails with fatal: could not read Username for 'https://github.com': terminal prompts disabled, because extraHeader adds a header but never
   registers a credential.

This regressed in a495be6 ("use http.extraHeader instead of URL-embedded
token"), which replaced the previously-working url.insteadOf approach.

Fix

Replace the git config --global call with job-scoped GIT_CONFIG_COUNT /
GIT_CONFIG_KEY_0 / GIT_CONFIG_VALUE_0 environment variables (exported via
$GITHUB_ENV), expressing the same url.<token>@github.com/.insteadOf
rewrite that Go's own FAQ recommends for private-module auth
(https://golang.org/doc/faq#git_https).

This:

• Never touches ~/.gitconfig — nothing persists on the runner, no cleanup needed
• Is scoped to the current job only (env vars vanish when the job ends)
• Uses url.*.insteadOf, a different config key than checkout's
  http.*.extraHeader — cannot collide
• Satisfies git's credential check, so go mod download works without prompting

Testing

• goprivate-enabled job: go mod download succeeds for github.com/bluefunda/bff
• actions/checkout@v4 succeeds with no Duplicate-header / exit 128
• git config --global --list --show-origin on the runner shows no
  http.https://github.com/.extraheader after the run
• Verified across cai-bff, cai-llm-router, and release-foundry consumers

🤖 Generated with Claude Code