Fix GitHub App authentication on runners with minor clock drift

[aholstrup1]

Why

GitHub App authentication intermittently failed with 401 (Unauthorized) during steps like "Download Project Dependencies", but only on self-hosted runners. The same repo, project, App, and dependency worked fine on GitHub-hosted runners. The differentiator was the runner's clock.

Root cause

GenerateJwtForTokenRequest backdated the JWT iat ("issued at") claim by only 10 seconds. GitHub rejects a JWT whose iat is in its future. A self-hosted runner whose clock runs more than ~10 seconds ahead of GitHub therefore produces a future-dated iat, and the JWT-only call (GET /repos/.../installation, made before any installation token exists) gets a 401. GitHub-hosted runners are tightly time-synced, so they never hit this.

Fix

Backdate iat by 60 seconds instead of 10, as recommended by GitHub, to tolerate runners whose clock runs slightly ahead. The exp claim is left at 10 minutes (already within GitHub's "no more than 10 minutes into the future" limit).

This is intentionally minimal: a one-line change to the backdate plus a release note. Keeping the runner clock synchronized (e.g. via NTP) is still recommended, but AL-Go now tolerates the small drift commonly seen on self-hosted runners.

Fixes: #2284

[Copilot]

Pull request overview

This PR aims to make GitHub App authentication more tolerant of minor clock drift on self-hosted runners by adjusting the JWT iat backdating and documenting the change in release notes.

Changes:

• Backdate the GitHub App JWT iat claim by 60 seconds (previously 10) in GenerateJwtForTokenRequest.
• Add a release note entry for Issue #2284 describing the JWT clock-drift tolerance change.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
Actions/Github-Helper.psm1	Adjusts JWT iat backdating intended to reduce 401s caused by runner clock drift.
RELEASENOTES.md	Documents the Issue #2284 fix and its intended behavior.