batches: webhooks are applied with an unprivileged context

Created by: LawnGnome

Credit to @eseliger and @mrnugget for figuring this one out while I slept. 😴

When we receive a webhook from a code host, we have to match the payload to an external service and repo to be able to apply the updated state to a changeset. This uses the request context, which defaults to an unprivileged context, which means that private repos are invisible when we attempt to perform the matching.

Ergo: webhooks no longer function with private repos, as of whichever version we added AuthzQueryConds.

The fix here is trivial: since only site admins can configure webhooks, it's safe to replace the context with a privileged internal actor context at the entry point for webhook handlers. From there, private repos should work normally.