GH Actions: restrict access to certain GH Actions

[yoomlam]

What was the problem?

Anyone on the current team are allowed to do potentially dangerous actions, such as deploy to prod, via GH Action workflows.

Associated tickets or Slack threads:

• Implement mechanism to prevent unauthorized platform actions by partner teams in Github Actions #1961

How does this fix it?

Only allow members of the VRO-RESTRICTED team to do potentially dangerous actions.

Affected workflows:

• delete-old-releases.yml
• delete-published-images.yml
• delete-workflow-runs.yml
• deploy-secrets.yml - restricted only when deploying to prod
• update-deployment.yml - restricted only when deploying to prod

How to test this PR

If you are not in VRO-RESTRICTED, then the above GH Action workflows should fail (when run on this PR's branch yoom/restrict-access) with a Only VRO-RESTRICTED team members can run this action message.

[github-actions]

Test Results

100 tests  ±0   100 ✔️ ±0   47s ⏱️ +2s
  34 suites ±0       0 💤 ±0 
  34 files   ±0       0 ❌ ±0 

Results for commit fbd4de1. ± Comparison against base commit f21f439.

♻️ This comment has been updated with latest results.

[github-actions]

JaCoCo Test Coverage

There is no coverage information present for the Files changed

Total Project Coverage	68.04%	❌

[yoomlam]

These succeed b/c I'm in the VRO-RESTRICTED team:

• 9. Delete old Pre-Releases and tags
• 9. (Internal) Delete old published non-DEV image
• 9. Delete old workflow runs
• prod: Deploying secrets
• prod: Update deployment svc-lighthouse-api v3.4.0

Note the gate-check job runs for each of the updated workflows:

[chengjie8]

Great!. I have verified all the workflows in Yoom's comments.

[chengjie8]

LGTM!

[tejans24]

LGTM

[tejans24]

Should this be setup as a reusable block?

[yoomlam]

I considered that, but there's 2 different versions. Maybe someone can refactor that later.