Define GitHub variables

[jku]

As part of #1247 I'd like to define a GH secret.

• Secret TUF_ON_CI_TOKEN: this should be a sigstore-bot token with following permissions for sigstore/root-signing:
  • Actions: write to dispatch other workflows when needed
  • Contents: write to create online signing commits, and to create targets metadata change commits in signing events
  • Issues: write to create issues for workflow failures
  • Pull requests: write to create and modify signing event pull requests

Originally I was planning to also set two variables but that would only make sense if sigstore/github-sync would support them -- I will instead include them in the workflow in #1256:

• Variable GCP_SERVICE_ACCOUNT: github-actions@sigstore-root-signing.iam.gserviceaccount.com
• Variable GCP_WORKLOAD_IDENTITY_PROVIDER: projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider

[jku]

Instead of the variables, we could just embed them directly in online-sign workflow if that's preferred (when I built this variable design I assumed they would be set by configuration-as-code...) in #1256

In fact I think I will do that: currently the variable would not be visible to project members in general and that feels wrong.