Separate workflow_run job for committing documentation & config

[cmbuckley]

As we have seen, pull_request workflows when run by a fork don't have write access to commit the documentation/dependabot changes.

Following the advice at https://securitylab.github.com/research/github-actions-preventing-pwn-requests/, I have separated out the privileged actions that require commit access into a workflow_run workflow.

Now, the existing workflow only performs the terraform validation checks. When it completes successfully, the second workflow attempts to commit documentation/dependabot changes.

If the PR is internal, or it's from a fork and the contributor has selected "Allow edits by maintainers", the workflow can commit back to the PR. If this commit cannot be completed, the workflow fails silently.

The new workflow runs after both triggers of the existing one (pull_request and push), so if the documentation updates can't be committed to the PR, they are committed after it is merged.

The second workflow only fails the commit silently in the case of a pull_request; if it fails after a push for any reason, it will error as expected.

Visual explanation:

graph LR;
  workflowtype{Workflow\ntype?}
  isinternal{Internal\ncontributor?}
  cancontrib{Contributions\nallowed?}
  commitpr[Commit to PR]
  commitpush[Commit after push]
  failsilent[Fail silently]

  workflow_run-->workflowtype;
  workflowtype-->|pull_request|isinternal;
  isinternal-->|Yes|commitpr;
  isinternal-->|No|cancontrib;
  cancontrib-->|Yes|commitpr;
  cancontrib-->|No|failsilent;
  failsilent-.->|Committed after merge|commitpush;
  workflowtype-->|push|commitpush;