From bot token to per workflow generated token

[ringods]

Fixes: #963, #1087

Moving from a central PULUMI_BOT_TOKEN to the Github Actions permissions block makes the workflows reusable for third party providers too. The generated GITHUB_TOKEN secret in each workflow instance will receive elevated permissions based on the permissions configuration block.

Docs on permission:
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token

Results of testing the changes on third-party providers:

• the required permissions for the publish workflow are set on the calling side of the nested job instead of within the nested job. I tested setting it within publish.yml but it seems it is not possible anymore to elevate permissions in a nested job: https://github.com/pulumiverse/pulumi-acme/actions/runs/11181469935

[danielrbradley]

Looks good on first pass. We should pick an internal provider to roll this out to and verify all the key workflows work: upgrade-provider through to release.

[ringods]

This PR contains too much at once. So chopping it up.

Replacements:

• Use the standard Github generated token with elevated permissions #1099

Will close this PR when all functionality is submitted as separate PRs.

[ringods]

Superseded by:

• Use the standard Github generated token with elevated permissions #1099
• Run tests for thirdparty packages #1102
• Use the configured Github organization for schema-tools #1109
• Combine upstream check & upgrade workflows #1110
• Set elevated token permissions #1111