Only respond to credential get actions

Previously, the buildkite-agent git-credential-helper was responding to all git credential helper actions (get, store and erase). Whenever a GCH returns a value from a get action, git asks it to store that credential, in case the helper is capable of caching it.

We aren't capable of caching, but but git would ask us to anyway, and we weren't checking the action type, so we'd go away and fetch another credential from buildkite, print it to stdout, and git would ignore it, wasting everyone's time and rate limits.

This commit makes it so that if the GCH action isn't `get`, we'll silently ignore the request and do nothing. This is the [suggested practice](https://git-scm.com/docs/gitcredentials#Documentation/gitcredentials.txt-codegetcode:~:text=If%20it%20does%20not%20support%20the%20requested%20operation%20(e.g.%2C%20a%20read%2Donly%20store%20or%20generator)%2C%20it%20should%20silently%20ignore%20the%20request.) from the git docs.

clicommand/git_credentials_helper.go

@@ -31,7 +31,8 @@ if the pipeline has this feature enabled. All hosted compute jobs automatically
 This command is intended to be used as a git credential helper, and not called directly.`
 
 type GitCredentialsHelperConfig struct {
-	JobID string `cli:"job-id" validate:"required"`
+	JobID  string `cli:"job-id" validate:"required"`
+	Action string `cli:"arg:0"`
 
 	// Global flags
 	Debug       bool     `cli:"debug"`
@@ -76,6 +77,12 @@ var GitCredentialsHelperCommand = cli.Command{
 		ctx, cfg, l, _, done := setupLoggerAndConfig[GitCredentialsHelperConfig](ctx, c)
 		defer done()
 
+		if cfg.Action != "get" {
+			// other actions are store and erase, which we don't support
+			// see: https://git-scm.com/docs/gitcredentials#Documentation/gitcredentials.txt-codegetcode
+			return nil
+		}
+
 		l.Info("Authenticating checkout using Buildkite Github App Credentials...")
 
 		// ie, if the flags are from the command line rather than from the environment, which is how they should be passed