feat: GitHub Enterprise Server (GHES) support

[raghavpillai]

Summary

Adds support for self-hosted GitHub Enterprise Server instances. When configured via environment variables, all GitHub API calls, OAuth flows, avatar loading, and UI links point at the GHES host instead of github.com. When no GHES env vars are set, behavior is identical to today.

Closes #325

Problem

Every GitHub URL in the codebase is hardcoded to github.com / api.github.com. This makes it impossible to use Better Hub with a GHES instance. GHES also has some quirks — /api/v3 and /api/graphql live on the same host, and private-mode instances require web session cookies (not API tokens) to fetch avatar images.

Changes

Centralized GitHub URL config (src/lib/github-config.ts)

• New module that reads GITHUB_WEB_URL, GITHUB_API_URL, GITHUB_GRAPHQL_URL from env vars
• Exports IS_GHES, GITHUB_HOSTNAME, and URL constants
• Falls back to github.com defaults when env vars are unset

Generic OAuth (src/lib/auth.ts, src/lib/auth-client.ts, src/components/login-button.tsx)

• Replaced socialProviders.github with genericOAuth plugin so authorization and token endpoints can be configured per-instance
• getUserInfo fetches from the configurable API URL with response status validation
• Login button updated to use signIn.oauth2({ providerId: "github" })

GHES avatar proxy (src/app/api/github-avatar/route.ts, src/components/shared/ghes-image.tsx)

• New server-side route that authenticates with the GHES web UI, caches the session cookie (4h TTL), and proxies avatar images
• Automatic session refresh on failed fetches — if the cached session expires, re-authenticates and retries once before falling back to a colored SVG placeholder
• GhesImage component wraps next/image to transparently route GHES avatar URLs through the proxy
• githubAvatarUrl() helper exported for raw <img> tags

UI updates (~60 component files)

• All hardcoded https://github.com references replaced with configurable GITHUB_WEB_URL / NEXT_PUBLIC_GITHUB_WEB_URL
• Covers links, breadcrumbs, "Open in GitHub" buttons, copy-link, command menu, security advisories, release download URLs, etc.
• next.config.ts updated to add GHES hostname to images.remotePatterns
• GitHub link interceptor and proxy rewrite updated to use configurable hostname

Other

• Octokit instances in src/lib/github.ts now use configurable baseUrl and GraphQL endpoint
• .env.example updated with GHES configuration variables
• Redis cache in getOctokitUser fixed — removed double JSON serialization that was causing cache misses

Configuration

# All optional — defaults to github.com when unset
NEXT_PUBLIC_GITHUB_WEB_URL=https://ghes.example.com
GITHUB_WEB_URL=https://ghes.example.com
GITHUB_API_URL=https://ghes.example.com/api/v3
GITHUB_GRAPHQL_URL=https://ghes.example.com/api/graphql

# Only needed for GHES private-mode avatar proxying
GHES_AVATAR_USERNAME=bot-account
GHES_AVATAR_PASSWORD=password

Validation

• Deployed and tested against a live GHES 3.x instance in private mode
• OAuth sign-in flow works end to end (authorize → callback → session)
• Avatar proxying works for private-mode instances with automatic session refresh
• All UI links correctly point at the GHES host
• Verified that no env vars = unchanged github.com behavior
• bun run build passes cleanly

Notes

• The genericOAuth plugin is a drop-in replacement for socialProviders.github — the OAuth flow is identical, just with configurable endpoints
• The avatar proxy is only active when IS_GHES is true, so there's zero overhead for github.com users
• Remaining github.com references in the diff are intentional defaults/fallbacks in github-config.ts and next.config.ts

[vercel]

@raghavpillai is attempting to deploy a commit to the better-auth Team on Vercel.

A member of the Team first needs to authorize it.

[ping-maxwell]

Hey this is awesome work!

I'm keeping your PR open for now until we decide where Better Hub will go in terms of GHES support.
I can see pretty much all you've changed is the URL to GH endpoints, but we dont use GHES so it's hard to test and maintain.