Doc calling out GitHub OAuth client secret behavior (microsoft#242210)

Author: TylerLeonhardt

extensions/github-authentication/src/config.ts

@@ -10,6 +10,10 @@ export interface IConfig {
 }
 
 // For easy access to mixin client ID and secret
+//
+// NOTE: GitHub client secrets cannot be secured when running in a native client so in other words, the client secret is
+// not really a secret... so we allow the client secret in code. It is brought in before we publish VS Code. Reference:
+// https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/best-practices-for-creating-an-oauth-app#client-secrets
 export const Config: IConfig = {
 	gitHubClientId: '01ab8ac9400c4e429b23'
 };