feat: Add repository-scoped token support to GithubAppClient

[PhoebeMay]

Summary

Adds support for creating repository-scoped installation access tokens via the GitHub Apps API. This allows tokens to be
restricted to specific repositories instead of granting access to all repositories in an installation.

This is an implementation of https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app

API Usage

// Create a scoped token for specific repositories
AccessTokenRequest request = ImmutableAccessTokenRequest.builder()
    .repositoryIds(List.of(313604, 314195))
    .build();

AccessToken token = appClient.getAccessToken(installationId, request).join();

// Or scope by repository name
AccessTokenRequest request = ImmutableAccessTokenRequest.builder()
    .repositories(List.of("my-repo"))
    .build();

Testing

Unit Tests

All existing tests pass, plus 3 new test cases:

• ✅ getAccessTokenWithoutScoping - Verifies backward compatibility (empty body)
• ✅ getAccessTokenWithRepositoryScoping - Verifies scoped token creation with both repositories and repository_ids
• ✅ getAccessTokenWithEmptyRequest - Verifies empty request serializes to {}

Manual Testing

Verified end-to-end with GitHub Enterprise Server:

Test 1: Unscoped Token (`Old Behavior)

Created token using existing getAccessToken(installationId) method

GithubAppClient appClient = client.createGithubAppClient();
AccessToken unscopedToken = appClient.getAccessToken(installationId).join();

Verification via GitHub API:

curl -H 'Authorization: Bearer <token>' \
     https://ghe.spotify.net/api/v3/installation/repositories

Result:
{
  "total_count": 9,
  "repository_count": 9,
  "repository_names": [
    "genai-migration/honk",
    "genai-migration/migration-prompts",
    "genai-migration/update-metadata-shift",
    "genai-migration/ai-migrations",
    "genai-migration/trigger-agent",
    "genai-migration/goosebump",
    "genai-migration/honk-log-classifier",
    "genai-migration/demo-library",
    "genai-migration/honk-system"
  ]
}
✅ Token granted access to all 9 repositories in the installation

Test 2: Repository-Scoped Token (New Functionality)

Created token using new getAccessToken(installationId, AccessTokenRequest) method:

AccessTokenRequest request = ImmutableAccessTokenRequest.builder()
    .repositoryIds(List.of(313604))
    .build();

Verification via GitHub API:

curl -H 'Authorization: Bearer <scoped_token>' \
     https://ghe.spotify.net/api/v3/installation/repositories

Result:
{
  "total_count": 1,
  "repository_count": 1,
  "repository_names": [
    "genai-migration/honk"
  ],
  "repository_ids": [
    313604
  ]
}

✅ Token granted access to only 1 repository (the scoped repository)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.04%. Comparing base (6edf7d5) to head (0c37e52).

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #258      +/-   ##
============================================
+ Coverage     77.67%   78.04%   +0.37%     
- Complexity      451      456       +5     
============================================
  Files            60       60              
  Lines          1451     1453       +2     
  Branches         63       63              
============================================
+ Hits           1127     1134       +7     
+ Misses          279      274       -5     
  Partials         45       45              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.