feat: workflow to update actions dist

[ramonpetgrave64]

Add a new Post-Commit workflow, to make these renovate-bot updates a bit easier. Previously, we had to clone the PR locally, run make package, and then push to the PR. Now we would just need to use the github UI to invoke this new workflow against the PR number. We could also copy this over to the slsa-github-generator repo.

A workflow to run against renovate-bot's PRs, such as make package after it updates the package.json and package-lock.json files. The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact. Then a higher-privilege Job applies the diff and pushes the changes to the PR. It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes!

Testing.

Tested in my own private fork, where when applicable, it pushed a commit of changes to dist/ folders

• https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
  • https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
• https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
  • https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits

[ramonpetgrave64]

@laurentsimon @mihaimaruseac @ianlewis

[ramonpetgrave64]

This seems a little bit more complex. Can this be done similar to guacsec/guac#953 (comment) ?

I used the gh cli because it has some conveniences like setting up the correct remote branch for the PR. If we used actions/checkout within a normal pull_request event, then we wouldn't need to use gh cli.

[ramonpetgrave64]

@kpk47 And I added some more Repo rules that make this workflow even safer to use. Safer than cloning the PR locally and running the untrusted code.

[ramonpetgrave64]

Thanks everyone for the reviews