[feature] Custom GITHUB_TOKEN for go `upload-assets`

[OpenWaygate]

Is your feature request related to a problem? Please describe. builder_go_slsa3.yml is a reuseable workflow, so I cannot set environment variable when use it

Any environment variables set in an env context defined at the workflow level in the caller workflow are not propagated to the called workflow." ref

The upload-assets job use the default GITHUB_TOKEN, then default releaser is github-actions.

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run. ref

Accordingly, if I created a new action with this trigger, it will never be triggered.

on:
  release:
    types: [released]

Describe the solution you'd like I think this can be resolved with new input, accept a new input GITHUB_TOKEN and use it as environment variable in upload-assets

Describe alternatives you've considered Convert the reuseable workflow to composite action.

Additional context ~

[ianlewis]

You mentioned builder_go_slsa3.yml but I think this is an issue for any other builders that create a release.

for example, the docs for the generic generator show the genererator_generic_slsa3.yml getting called before the release artifacts are uploaded. So the SLSA workflow is what creates the release, and the user's workflow is uploading the artifacts after the fact. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#getting-started