feat(auth): add Workload Identity Federation (OIDC) support

[philross]

Description

Adds Workload Identity Federation (OIDC) support so CI/CD pipelines can authenticate without long-lived service account key files. The CLI exchanges a short-lived OIDC token for a STACKIT access token using the go SDK's WIF flow.

• New internal/pkg/auth/auth.go with env-var helpers (STACKIT_USE_OIDC, STACKIT_SERVICE_ACCOUNT_EMAIL, STACKIT_SERVICE_ACCOUNT_FEDERATED_TOKEN)
• Auto-detects token source: env var → GitHub Actions → Azure Pipelines
• No credentials are written to disk in WIF mode
• Updated AUTHENTICATION.md with setup guide

relates to #1327

Checklist

• Issue was linked above
• Code format was applied: make fmt
• Examples were added / adjusted (see e.g. here)
• Docs are up-to-date: make generate-docs (will be checked by CI)
• Unit tests got implemented or updated
• Unit tests are passing: make test (will be checked by CI)
• No linter issues: make lint (will be checked by CI)

[philross]

Before I continue working on this feature: Is the introduction of environment variables (STACKIT_USE_OIDC, STACKIT_SERVICE_ACCOUNT_EMAIL, STACKIT_SERVICE_ACCOUNT_FEDERATED_TOKEN) mentioned in #1327 the right approach, or should CLI flags (e.g. --use-oidc) be added instead?