Transform GitHub Actions Workflows to Use OIDC Instead of Long-lived Credentials

[varunsh-coder]

Scenarios:

• AWS
• GCP
• Azure
• Package registries, e.g. PyPI

We should also suggest policy changes in the PR description, e.g. changes needed in the AWS account to trust the GitHub Actions token.

[varunsh-coder]

for AWS credentials action, we can change the with parameters to remove secret access key and add role to assume.

for permissions, we can have two cases:

1. job permission is already set
   if already set, then we just add id-token: write to it if it does not exist
2. job permissions is not already set
   we can use existing logic to add permissions

@Devils-Knight please take this up. We can have these test cases:

1. All permissions already defined. case 1: top level permission is defined and job level is not defined. case 2: job level is already defined.
2. Top level permission is not defined and job level is also not defined.

First try to fix job level permission using our existing logic. If we can add permissions, then fix is done.
If we cannot fix job level permissions, look at top level permission. If top level is contents: read, then make job level as contents: read and id-token: write

If job level permission was already defined, then just add id-token: write if it was not already there.

You can do AWS first and then GCP.