feat: Support KMS for GitHub App JWT signing

[u-kai]

Resolves #3317

---

Before the change?

• GitHub App authentication required a PEM private key file (pem_file), meaning the
  private key had to be stored in the CI/CD environment.

After the change?

• Added aws_kms_key_id field to app_auth block and github_app_token data source as
  an alternative to pem_file.
• When aws_kms_key_id is set, JWT signing is delegated to AWS KMS using the default
  credential chain — the private key never leaves the KMS boundary.
• pem_file and aws_kms_key_id are mutually exclusive (ExactlyOneOf).

Pull request checklist

I will complete the checklist items once the implementation approach is agreed upon.

• Schema migrations have been created if needed (example)
• Tests for the changes have been added (for bug fixes / features)
• Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

• Yes
• No

---

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀