docs: update GitHub documentation for service account (#967)

* docs: update GitHub documentation for service account

* add read:org permission

docs/docs/identity-providers/github.md

@@ -41,6 +41,19 @@ Authorization callback URL  | `https://${authenticate_service_url}/oauth2/callba
 
 After the application had been created, you will have access to the credentials, the **Client ID** and **Client Secret**.
 
+## Service Account
+To use `allowed_groups` in a policy an `idp_service_account` needs to be set in the Pomerium configuration. The Service Account for GitHub should be a personal access token with `read:org` permissions, which can be created at [github.com/settings/tokens/new](https://github.com/settings/tokens/new).
+
+![Personal Access Token](./img/github/github-personal-access-token.png)
+
+The format of the `idp_service_account` for GitHub is a base64-encoded JSON document:
+
+```json
+{
+  "username": "YOUR_GITHUB_USERNAME",
+  "personal_access_token": "GENERATED_GITHUB_ACCESS_TOKEN"
+}
+```
 
 ## Pomerium Configuration
 
@@ -51,6 +64,7 @@ authenticate_service_url: https://authenticate.localhost.pomerium.io
 idp_provider: "github"
 idp_client_id: "REDACTED"   // github application ID
 idp_client_secret: "REDACTED"   // github application secret
+idp_service_account: "REDACTED" // github service account (personal access token)
 ```
 
 Whenever a user tries to access  your application integrated with Pomerium, they will be presented with a sign-on page as below: