Fix duplicate Authorization header (HTTP 400) on git ops in push_to_pull_request_branch (#40281)

* Fix duplicate Authorization header on git ops in push_to_pull_request_branch

The safe_outputs job set http.<url>.extraheader from two sources: the
persist-credentials checkout (.git/config) and the handler injecting a
second value via GIT_CONFIG_* env (getGitAuthEnv). Since the key is
multi-valued, git sent both Authorization headers, causing the server to
reject requests with "Duplicate header: 'Authorization'" / HTTP 400.

- push_to_pull_request_branch.cjs no longer injects gitAuthEnv; it relies
  on the credentials persisted in .git/config by the checkout, matching
  create_pull_request.cjs.
- The safe_outputs checkout now persists the resolved PR push token
  (resolvePRCheckoutToken) so the single retained credential is correct,
  also fixing custom-PAT / cross-repo push configurations.

Fixes #40280

* Address PR review: dedupe token resolve, add fallback tests, doc note

- compiler_safe_outputs_steps.go: resolve the PR checkout token once and reuse
  it for both the persisted-checkout push token and the Configure Git
  Credentials step (was computed twice).
- checkout_manager_test.go: add TestCheckoutPushTokenFallback covering the
  safe_outputs push-token fallback (default + additional checkouts): emits the
  push token exactly once when no explicit token, does not override an explicit
  or app-minted token, and is suppressed when credentials are not retained.
- docs: document which single token governs the shared PR checkout for git
  operations and recommend using the same token when both create-pull-request
  and push-to-pull-request-branch target the same repository.

* Extend duplicate-Authorization fix to dynamic_checkout.cjs

When the safe_outputs checkout runs with persist-credentials: true (now with the
resolved push token via SetPushToken), .git/config already holds an
http.<serverUrl>/.extraheader that authenticates every <serverUrl> URL — including
the repo dynamic_checkout switches origin to. Injecting a second extraheader put a
duplicate Authorization header on the wire (git treats the key as multi-valued),
which GitHub rejects with "Duplicate header: 'Authorization'" (HTTP 400).

checkoutRepo now trusts the persisted credential and only configures an extraheader
when none is already persisted (preserving callers that run without
persist-credentials). Repointing origin to a clean URL still drops any
embedded-credential URL, leaving the persisted extraheader as the single auth source.
Mirrors the push_to_pull_request_branch.cjs fix.

Adds tests covering both the persisted (skip injection) and non-persisted (inject)
paths.

Author: dsyme