Finish #4317 and merge

[evankanderson]

Please describe the enhancement

#4317 includes a spike (incomplete, demo-able code) for authenticating GitHub Actions using a distinct username structure. We've decided that this approach makes sense, but the code in question has a few "TODOs" or "This is gross" items that need cleanup, along with tests. It also needs about 3-4 months of PRs merged and re-testing.

Solution Proposal

Complete the 2-3 TODOs in the draft PR, and add tests for internal/auth/githubactions (new code) and internal/auth/jwt/dynamic (also new code).

Describe alternatives you've considered

Attempt to use Keycloak token exchange:

• GitHub Actions is a different iss (issuer) than human GitHub OIDC, with differently-shaped identities
• GitHub Actions identities are not able to do things like accept Terms & Conditions or follow a webpage to delete their account

Additional context

Adding support to the Minder CLI to automatically pick up and use the GitHub token endpoint will be a subsequent item.

Acceptance Criteria

The GitHub Action at https://github.com/evankanderson/actions-id-token-testing/blob/main/.github/workflows/minder-auth-token-test.yaml should work against any deployed Minder instance.