fix(server): surface SSO on the self-hosted login page and add a GitHub sign-in lever

Describe here the purpose of your PR.

Fixes two SSO discrepancies reported by a self-hosted instance running OAuth2 SSO with Enforce SSO enabled (and nothing else on the Authentication tab).

What changed

• SSO button now appears on the login page. Added Accounts.sso_configured?/0 (any organization with an SSO provider) and surfaced the “Log in with SSO” button through a new sso_login_available?/1 helper in UserLoginLive.
• GitHub sign-in is now a real lever. Added Environment.github_auth_enabled?/0 backed by TUIST_GITHUB_AUTH_ENABLED (default 1). Set it to 0 to keep the GitHub App for VCS while removing GitHub as a sign-in method. The button hides and the GitHub OAuth callback in AuthController is rejected.
• Documented TUIST_GITHUB_AUTH_ENABLED in the English self-hosting guide.

Why

The login page (/users/log_in) decided which auth methods to show from global environment config, but generic OAuth2 SSO is configured per-organization (sso_provider on the organization, set in the Authentication tab). On a self-hosted instance with OAuth2 SSO and no global Okta env vars, okta_oauth_configured? or tuist_hosted? was false, so the SSO button never rendered — the only way to reach the SSO flow was to type /users/log_in/sso by hand. The login form has no email yet so it can’t resolve a single org; instead it now asks whether SSO is reachable on the instance at all.

Separately, the GitHub App used for VCS integration (PR comments, etc.) shares its TUIST_GITHUB_APP_CLIENT_ID/_SECRET with GitHub sign-in (see config/runtime.exs ueberauth Github + github_oauth_configured?). Configuring VCS therefore forced a “Log in with GitHub” button onto the login page with no opt-out. Gating sign-in does not affect VCS integration, which uses installation tokens / webhooks / the App JWT rather than the user sign-in callback.

Why this approach over the alternatives

• The GitHub lever defaults to 1, so existing instances are unchanged; only operators who explicitly want GitHub-for-VCS-without-GitHub-login flip it.
• The lever gates the callback, not just the button, so disabling sign-in actually closes the path rather than hiding it cosmetically.
• The password form is intentionally left in place when SSO is enforced. Removing it carries a lockout risk if the IdP is unavailable and is ambiguous on multi-org self-hosted instances. Per-org SSO enforcement is already applied at the dashboard boundary by require_sso_authentication/2.

User / developer impact

• Self-hosted instances with per-org OAuth2/Okta SSO now see the SSO button on the login page automatically.
• Self-hosted operators can set TUIST_GITHUB_AUTH_ENABLED=0 to remove GitHub from the login page while keeping the GitHub App for VCS.
• No change for tuist.dev (still tuist_hosted?) or for instances that haven’t set the new variable.

How to test locally

1. Configure an organization with OAuth2 SSO in the Authentication settings tab (no global Okta env vars, TUIST_HOSTED unset).
2. Log out and visit /users/log_in — the Log in with SSO button now appears.
3. Set TUIST_GITHUB_APP_CLIENT_ID / TUIST_GITHUB_APP_CLIENT_SECRET (as for VCS) and reload — Log in with GitHub appears.
4. Set TUIST_GITHUB_AUTH_ENABLED=0 and reload — the GitHub button is gone, and hitting /users/auth/github/callback returns 404.

Automated: mix test test/tuist_web/live/user_login_live_test.exs test/tuist_web/controllers/auth_controller_test.exs (48 tests, 0 failures). mix format + mix credo clean on the touched modules.