This builds on the suggestions of @shaunco in #38 to support GitHub Deployment Keys that are scoped to single repositories.

When connecting to GitHub, the SSH client must fetch the right SSH key from the agent. Otherwise, the connection will be terminated with the error message

fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.

The idea is that each deployment key (which is passed as a secret) uses a key comment field like Deploy key for git@github.com:owner/repo.

After keys are loaded into the agent, the key comments are scanned. If they match /\bgithub.com[:/](.*)(?:\.git)?\b/, two things happen:

1. A Git config setting is written that uses url.<base>.insteadof.

This config will make git requests to URLs starting with either https://github.com/owner/repo or git@github.com/owner/repo be redirected to a made-up URL like git@...some.hash...:owner/repo.

2. A SSH config entry is written that works for the made-up hostname ...some.hash... and will redirect it back to github.com, applying the right SSH key.

To choose the right SSH key, we're using the fact that the key identity (as returned from ssh-add -L) can be used as well. This way, we can still avoid having to write private keys to disk at all.