Review failure mode in publish process

[jku]

The upgrade test that is now part of publish process (https://github.com/sigstore/root-signing-staging/blob/main/.github/workflows/test.yml#L15) is useful as it prevents updates that would be seen as incompatible by clients...

However what if the situation is like this:

• for some reason we have been unable to publish and the GCS bucket has an expired timestamp
• now we have fixed things and do a new online-sign which triggers publish...
• publish workflow makes the pages deployment and runs test.yml which fails because it's tryign to do an upgrade test and the base repo (GCS bucket) fails

There's at least two possible alternatives:

• consider this an exceptional situation, just document how to remove update_base_url argument from the test workflow for the moment and to rerun online-sign
• Make repository-test action survive this in tuf-on-ci: Maybe don't allow base repo (GCS bucket) to fail in every possible way, but allow it to fail with expired metadata...

[jku]

Make repository-test action survive this in tuf-on-ci: Maybe don't allow base repo (GCS bucket) to fail in every possible way, but allow it to fail with expired metadata...

Oh FFS, I've already implemented this in https://github.com/theupdateframework/tuf-on-ci/blob/main/repo/tuf_on_ci/client.py#L80