Provide Authorization header when downloading update-job-proxy

[mbg]

This changes the start-proxy action to provide an Authorization header for the toolcache.downloadTool call under the same circumstances where we provide one for the toolcache.downloadTool call when downloading the CLI bundle.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull Request Overview

This PR refactors the authorization header logic for downloading tools from GitHub by extracting common code into a reusable function and applying consistent authorization patterns to both CLI bundle and update-job-proxy downloads.

• Extracts authorization header logic into getAuthorizationHeaderFor function in api-client.ts
• Updates the start-proxy action to provide authorization headers when downloading update-job-proxy
• Refactors existing CodeQL CLI download logic to use the new common function

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

File	Description
src/api-client.ts	Adds new getAuthorizationHeaderFor function to centralize authorization logic
src/start-proxy-action.ts	Updates proxy binary download to use authorization headers consistently
src/setup-codeql.ts	Refactors to use the new centralized authorization function
lib/*.js	Generated JavaScript files reflecting the TypeScript changes

[esbena]

LGTM, with some minor doc/log thoughts.