Added extra debug when doing kosli attest pullrequest github if the debug flag is set

[ToreMerkely]

• debug(github): log GitHub HTTP requests/responses under --debug
• fix(github): silence errcheck on debug Fprintf calls
• ci: fix Debug build trigger to match this branch name
• ci: debug-build runs on any branch and produces all platforms
• ci: split debug-build into one artifact per platform
• ci: write each artifact URL to the run summary
• ci: also expose nightly.link URLs in debug-build summary
• debug(github): redact Cookie/Set-Cookie/Proxy-Authorization too
• ci: remove temporary debug-build workflow

[claude]

Claude finished @ToreMerkely's task in 1m 58s —— View job

---

PR Review: Extra debug logging for GitHub API calls

• Run static analysis (build, vet, mod tidy)
• Review changed files
• Post review findings

---

Static Analysis

All three checks pass cleanly:

• go build ./... — compiles
• go vet ./... — no warnings
• go mod tidy — no diff

---

Review Summary

This is a well-scoped PR. It threads a debug bool through the GitHub client stack and wraps the HTTP transport to dump requests/responses to stderr, with credential redaction. The previous review round's test coverage suggestion was addressed — TestRedactAuthHeader and TestRedactSensitiveHeader have solid branch coverage.

No blocking issues found. A few observations below.

What's done well

• Clean transport wrapping — debugTransport composes via http.RoundTripper, keeping it isolated from production paths.
• Redaction is thoughtful — Authorization keeps last 4 chars for diagnostics; cookies and proxy-auth are fully redacted. The doc comments explain the "why" behind each choice.
• logf silences errcheck correctly — _, _ = fmt.Fprintf(...) is the right idiom for intentionally-ignored write errors on debug output.
• Good test coverage — Both redaction functions have table-driven tests covering boundary conditions (empty, short, exactly-4-char tokens, case-insensitive header matching, pass-through for non-sensitive headers). The X-OAuth-Scopes intentional non-redaction is explicitly documented in a test case.
• Signature changes are mechanically consistent — all callers of NewGithubConfig, NewGithubClientFromToken, NewGithubRetrieverFunc, and defaultNewGithubRetriever have been updated, including test fakes and contract tests.

Minor observations (non-blocking)

1. Response body on ReadAll error path (github.go:130-135): When io.ReadAll(resp.Body) fails, the code replaces resp.Body with an empty NopCloser. This is a sensible defensive choice — it prevents the caller from reading a closed body — but it does silently transform the response. In practice, response bodies from the GitHub API are in-memory buffers from the TLS layer, so ReadAll failure here is extremely unlikely. Just calling it out as a known trade-off, not something to change.

2. Request body on ReadAll error path (github.go:106-116): If io.ReadAll(req.Body) fails, the request body is closed but not restored. The subsequent base.RoundTrip(req) would see a nil/closed body. As the author noted in review discussion, this is effectively unreachable for in-memory request bodies, and the current behavior (surfacing the error to the caller) is actually more correct than silently substituting http.NoBody.

3. Header iteration order: req.Header / resp.Header map iteration is non-deterministic in Go. Debug output for the same request may show headers in different orders across runs. This is fine for human-readable debug logs — just noting it for completeness.

This PR is clean and ready to merge. The review discussion from the previous round was handled well — the author made good calls on which suggestions to accept (test coverage) and which to skip (body truncation, io.Writer plumbing, X-OAuth-Scopes redaction), with clear reasoning.