Support PARTIO_CHECKPOINT_TOKEN env var for checkpoint branch authentication

[jcleira]

Description

Add support for a PARTIO_CHECKPOINT_TOKEN environment variable that, when set, is injected into git push/fetch operations Partio uses for the checkpoint branch. This lets users and CI environments authenticate checkpoint operations against HTTPS remotes (e.g., a private GitHub repository used as a checkpoint store) without configuring git credentials globally.

The token should be passed via GIT_CONFIG_COUNT / GIT_CONFIG_KEY_* / GIT_CONFIG_VALUE_* env vars (not CLI args) to avoid the token appearing in process listings. For GitHub HTTPS remotes, encode as Basic auth with x-access-token:<token> base64-encoded in the Authorization header (GitHub's Git HTTP protocol requires Basic, not Bearer). SSH remotes emit a warning that the token is unused.

Why

Users pushing checkpoints to a separate private repository via checkpoint_remote in CI have no clean way to authenticate those git operations without setting up global git credential helpers. A dedicated env var with secure injection matches how CI systems manage secrets and avoids credential leakage.

User Relevance

CI users and teams using a centralized checkpoint repository can authenticate checkpoint push/fetch with a single environment variable, without touching global git config or exposing tokens in process arguments.

Source

Inspired by entireio/cli#818 and entireio/cli#827

Acceptance Criteria

• When PARTIO_CHECKPOINT_TOKEN is set and the checkpoint remote uses HTTPS, token is injected via GIT_CONFIG_COUNT env vars (not CLI args)
• Token is encoded as Basic auth (x-access-token:<token> base64) matching GitHub's Git HTTP protocol
• SSH remotes emit a warning that the token is ignored
• Unit test verifies correct header format for HTTPS remotes
• Unit test verifies no header injected for SSH remotes