Add flag to only access public repositories on GitHub

[aumetra]

This PR adds the WOODPECKER_GITHUB_ONLY_PUBLIC which instructs the GitHub client to only obtain clients which have permissions to operate on public repositories.

We have tested these changes on our own instance and can report that at least the basic functionality works.
Someone please feel free to chime in if this breaks any other functionality of Woodpecker we weren't aware of.

Rationale: This follows the principle of least privilege. We run a public Woodpecker instance for an open-source project. We never intend to run it on anything but public repositories.
The standard permissions are rather scary though.

Read and write access to all public and private data including settings, deploy keys, code, collaboration invites, etc.

By restricting access to the following scopes:

• admin:repo_hook
• repo:status
• user:email
• read:org

we can still have all the functionality Woodpecker needs (manage webhooks, update repository statuses, etc.) without the scary settings such as invites, writing to all aspects, etc.

---

New authorization dialog:

[aumetra]

By the way, does Woodpecker need only write access to webhooks? Or does it need to delete them, too?
Because if it only needs to write and read, then we could further restrict the scopes, away from admin:repo_hook to write:repo_hook

[qwerty287]

No, woodpecker deletes them when you disable a repo, so this scope is necessary.

[qwerty287]

Can you update your branch or allow updates from maintainers?

[aumetra]

Branch is up-to-date (I think allowing changes just isn't a thing I can do because the fork is owned by an org)

[woodpecker-bot]

Deployment of preview was successful: https://woodpecker-ci-woodpecker-pr-3566.surge.sh

[aumetra]

The ci/woodpecker/pr/static fail seems like a temporary fail due to network issues.