Create a git credential helper implementation for gitserver clone credentials

Created by: arussellsaw

from the rfc:

🤖 Gitserver credentials

Another place where external service tokens live in plaintext is on disk in the git repos managed by gitserver, this is because we pass a clone url containing the token in order to authorise the clone, the problem is that git will store this token on disk for future clones. In order to mitigate this we will plug into git’s credential helper tooling, providing a binary that git will call to authenticate the repo, you can read more here. This binary will read the encrypted access token from metadata we store in the git config of the repo and decrypt it using the KMS api, but via the abstracted Key interface described below.

This will involve building a binary we can ship with gitserver and add to git config, being called by git commands to retrieve credentials when cloning. We will likely also need to embed the encrypted token inside git config, as we do this already with other values. This value can then be read by the helper & decrypted via the Key interface.

💡 it might prove difficult to provide config to this binary easily, so it might be better to have the binary be a client that RPCs back to the local gitserver to do the actual decryption, as we'll need to configure the Key for each deployment

@unknwon has the most context on this problem