Add tuf-on-ci workflows

[jku]

Add workflows for tuf-on-ci (see #1247 and for larger context #929).

• these workflows are copied from root-signing-staging and modified for production environment
• an existing test workflow was renamed because of a naming conflict -- I would rather keep the tuf-on-ci workflow with the original name to make it easier to port future changes
• all scheduled runs are disabled until migration happens
• As an additional safety measure the calls to deploy to GCS are commented out: this way we can enable the workflows without deploying all the way to GCS

These workflows should be complete and ready however:

• they require some additional work before they can be enabled (setting repository variables etc), see #1257 for migration plan
• testing the changes from root-signing-staging can only happen here so there could still be issues: review is very welcome

[jku]

last change was a commit message tweak to trigger the broken DCO check

[jku]

... and I had to rebase because the renamed workflow confused githubs merge resolution

[jku]

I've included the GCP details in the online-sign workflow:

Original design uses GitHub variables: This keeps the online-sign workflow unchanged from the upstream one and would be nice if the variables were managed with configuration-as-code. Unfortunately this is not possible in root-signing.

Embed GCP details in the workflow.

[jku]

I had to rebase as GitHub uses a conflict resolution that failed in this case (the default one in git rebase just works). No changes.