[backport] OAuth build-time credentials + docs (upstream main)

[gastrodon]

Summary

Completes the OAuth feature with build infrastructure and user-facing documentation:

• internal/buildinfo/buildinfo.go: exports DefaultOAuthClientID and DefaultOAuthClientSecret vars injected at link time via goreleaser -ldflags from repo secrets OAUTH_CLIENT_ID/OAUTH_CLIENT_SECRET
• Official binaries ship zero-config defaults; local dev builds require --oauth-client-id
• docs/oauth-login.md: dedicated guide covering PKCE/device flows, display channels, URL-elicitation security advisory, Docker fixed-port recipe, BYO-app, and GHES requirements
• README.md and server.json updated: PAT made optional, OAuth callback port published, Docker install badges updated to use OAuth-first workflow
• NormalizeHost exported from internal/oauth so github.com host aliases still receive the baked-in client

Upstream reference

• version: upstream main (post v1.4.0, unreleased)
• commits: github@8ce77e3 (3/4 + 4/4 squashed)
• PRs: build(oauth): bake in default OAuth credentials for official releases (3/4) github/github-mcp-server#2711, docs(oauth): stdio OAuth login guide + OAuth-first install config (4/4) github/github-mcp-server#2717

Fork conflict

None. internal/buildinfo is new. server.json and docs are not part of the fork's custom tools.

Context

Without baked-in credentials, every user of official binaries would need to register their own OAuth app. The ldflags injection makes the official image truly zero-config while leaving dev builds explicit.

Depends on

See parent issue (OAuth story).

[gastrodon]

Unified Changelog — upstream main since v1.4.0

All changes below are unreleased upstream commits on github/github-mcp-server main (post v1.4.0, 2026-06-18 → 2026-06-26). All are present in this fork's codebase; PATCHER.md has not yet been updated.

See #10 for the full changelog. Summary:

• [backport] OAuth 2.1 stdio login (upstream main) [story] #13 (story): OAuth 2.1 stdio login → sub-issues [backport] OAuth 2.1 core library — PKCE + device flows (upstream main) #10 [backport] Wire OAuth 2.1 login into stdio server (upstream main) #11 [backport] OAuth build-time credentials + docs (upstream main) #12
• [backport] Issue dependency read/write tools (upstream main) #14: Issue dependency read/write tools
• [backport] get_parent method for issue_read (upstream main) #15: get_parent for issue_read
• [backport] Promote issue fields to default, remove legacy issue_write methods (upstream main) #16: Promote issue fields, remove legacy issue_write
• [backport] Remove show_ui parameter, centralize show/defer decision (upstream main) #17: Remove show_ui, centralize show/defer
• [backport] Fix delete:true on issue fields — REST DELETE fallback (upstream main) #18: Fix delete:true on issue fields
• [backport] Bound ui_get pagination to prevent latency spikes (upstream main) #19: Bound ui_get pagination
• [backport] Fix issue_write MCP App form gating for labels/assignees/milestone/type (upstream main) #20: Fix issue_write form gating
• [backport] Validate required params in add_comment_to_pending_review (upstream main) #21: Validate required params in add_comment_to_pending_review

[gastrodon]

No-op. The fork already has internal/buildinfo/buildinfo.go (DefaultOAuthClientID/Secret vars for ldflags injection) and docs/oauth-login.md. The server.json and README OAuth updates are also present.