When a client is configured with a client secret, i.e. it's a confidential client, this secret is not sent with the device authorization request (the very first request where you retrieve the DeviceAuthResponse). RFC-8628 states that:

The client authentication requirements of Section 3.2.1 of [RFC6749] apply to requests on this endpoint, which means that confidential clients (those that have established client credentials) authenticate in the same manner as when making requests to the token endpoint, and public clients provide the "client_id" parameter to identify themselves.

In the DeviceAuth (deviceauth.go:82) method, the client_id is always added as a query parameter and the secret is not used. This method should use the same construction as used in newTokenRequest in token.go:183.