fix!: prevent unsigned plugins from reaching dev, allow grafana-plugins-platform-bot[bot] to sign plugins

[manderson-dev]

This pull request introduces a new workflow input, allow-unsigned-in-dev, to both the CI and CD GitHub Actions workflows. This input serves as an "escape hatch" to optionally restore the previous behavior of allowing unsigned plugin builds in untrusted development contexts, which is now disabled by default. The changes also update the logic for when unsigned builds are permitted and add support for a new GitHub Actions actor. The most important changes are as follows:

Workflow Input and Logic Updates:

• Added a new boolean input allow-unsigned-in-dev to .github/workflows/ci.yml and .github/workflows/cd.yml, allowing maintainers to opt-in to the old behavior of permitting unsigned dev builds in untrusted contexts. This is now false by default, so untrusted dev builds will hard-fail unless explicitly enabled. [1] [2]
• Updated the logic for the allow-unsigned parameter in both workflows to only allow unsigned builds in untrusted dev environments if allow-unsigned-in-dev is set to true. This further restricts when unsigned builds are permitted. [1] [2] [3]

Documentation and Comments:

• Added and updated descriptions and comments in the workflow files to clarify the behavior and intent of the new allow-unsigned-in-dev input, including its default value and usage scenarios. [1] [2] [3]

CI Workflow Actor Update:

• Added github-merge-queue[bot] to the list of trusted actors in the CI workflow, recognizing it as a maintainer-approved actor for post-merge pushes.

Test Workflow Support:

• Updated the test workflow code (tests/act/internal/workflow/ci/ci.go) to include support for the new AllowUnsignedInDev input, ensuring test coverage for this new workflow parameter. [1] [2]

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[leventebalogh]

Left one minor comment, but generally LGTM 👍

(Nit: the PR title mentions grafana-plugins-platform-bot[bot], not the github-merge-queue[bot].)

[leventebalogh]

Might makes sense to add a test case covering the new input.

[manderson-dev]

added a test!

[xnyo]

Code LGTM, just a couple of small suggestions.

Note: I have also renamed the PR from fix: to fix!: for flagging this as a breaking change and trigger a new major release via release-please

[xnyo]

LGTM! Thank you!

[manderson-dev]

Sorry i let this sit some, got busy with other things. Since its end of day Friday, I'll plan to merge this on Monday, i set a reminder. :)