feat: Refactor workflows

[stevehipwell]

Resolves #2425

This PR requires the following changes before it should be merged.

• Add a ruleset to restrict the creation of branches with the pattern release-v* to maintainers
• Add ruleset for the default branch and release branches to manage spec
• Add ruleset to restrict the creation of tags with the v* pattern to the default branch (main) or branches with the pattern release-v*
• Create release environment and protect it to tags with the pattern v*
• Move release secrets to release environment
• Replace project workflow with native project support or add environment and move secret?
• Create acctest label
• Create acctest-dotcom & acctest-ghes environments and require that they be approved by maintainers
• Add DOTCOM_TEST_USER_TOKEN to acctest-dotcom environment
• Add GHES_TEST_USER_TOKEN to acctest-ghes environment
• Add GHES_TEST_SERVER_HOST to vars

Post Merge

• Update ruleset for the default branch and release branches to require the CI & CodeQL workflows to have been run

Post Next Release

• Update documentation to cover validating artifact attestation

---

Before the change?

• Workflows aren't following best practices for security hardening
• There isn't a way to run acceptance tests from a fork PR
• The release process isn't attesting the binaries

After the change?

• Workflows have been hardened
• Automation can be run from forked repos if a label has been added (repo write) and an environment is approved (repo maintain)
• Release binaries are attested
• Release SBOMs are generated
• CI only runs on fixed branches?

Pull request checklist

• Schema migrations have been created if needed (example)
• Tests for the changes have been added (for bug fixes / features)
• Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

• Yes
• No

---

[nickfloyd]

Looks great! I love the collapse of jobs ❤️ - approving pending completion / this coming out of draft status.

[stevehipwell]

Looks great! I love the collapse of jobs ❤️ - approving pending completion / this coming out of draft status.

@nickfloyd the draft status is required until the repo level changes are made to keep secrets isolated from pull request target workflows.

[ViacheslavKudinov]

Added some comments