The docs specify that the client_secret is specifically not required, if the user access token was created using device flow.

Regardless, you need to pass the client_secret to the http(s)://HOSTNAME/login/oauth/access_token endpoint. Simply set it to an empty string.

Tested on GitHub Enterprise 3.16.