feat(gha-runner-scale-set): ability to set annotations on noPermission service account

[dotdc]

Fixes #3678 Fixes #3672

This pull request adds the ability to set custom annotations on the no_permission_serviceaccount for our gha runner scale sets.

This can be needed in some Google Workload Identity setups:

iam.gke.io/gcp-service-account=IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com

Source: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#kubernetes-sa-to-iam

[noamgreen]

can you push this ??? relay needed

[dotdc]

Updated PR description, may also fix https://github.com/actions/actions-runner-controller/issues/3672