Improve AddGitHubModel usability: default API key resource, WithApiKey override, and secret enforcement

[davidfowl]

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

Currently, configuring API keys for GitHub models with AddGitHubModel is a bit manual and does not enforce that parameters are secrets. There is no automatic creation or linking of key parameters to the resource name, and WithApiKey does not enforce that the provided parameter is a secret. This can lead to a less streamlined experience and the possibility of accidental misconfiguration.

Describe the solution you'd like

1. AddGitHubModel should automatically add a default GitHub API key parameter.
2. The name of the default key parameter should follow the pattern <resource-name>-gh-apikey (e.g., chat-gh-apikey) and be a child resource of the GitHub model.
3. The method WithApiKey should exist to allow overriding the default key.
4. The parameter passed to WithApiKey should be enforced as a secret; the API should throw (with a clear error) if it is not.

This would simplify configuration and make it easier to manage API keys per resource.

Additional context

• These changes would improve usability and clarity for developers.
• The naming convention makes it easy to discover which key belongs to which model resource.
• Enforcing secrets helps avoid accidental exposure of sensitive information.
• A clear error message should be provided when a non-secret is passed to WithApiKey.