[ci] Add support for building UEFI Secure Boot signed binaries

[ci] Add support for building UEFI Secure Boot signed binaries

Add a job that takes the bin-x86_64-efi-sb and bin-arm64-efi-sb build
artifacts and signs them for UEFI Secure Boot.

The hardware token containing the trusted signing key is attached to a
dedicated self-hosted GitHub Actions runner.  Only tagged release
versions (and commits on the "sbsign" testing branch) will be signed
on this dedicated runner.  All other commits will be signed on a
standard GitHub hosted runner using an ephemeral test certificate that
is not trusted for UEFI Secure Boot.

No other work is done as part of the signing job.  The iPXE source
code is not even checked out, minimising any opportunity to grant
untrusted code access to the hardware token.

The hardware token password is held as a deployment environment
secret, with the environment being restricted to allow access only for
tagged release versions (and commits on the "sbsign" testing branch)
to provide an additional layer of security.

The signing certificates and intermediate certificates are obtained
from the iPXE Secure Boot CA repository, with the certificate selected
via deployment environment variables.

To minimise hidden state held on the self-hosted runner, the pcscd
service is run via a service container, with the hardware token passed
in via "--devices /dev/bus/usb".

Select the deployment environment name (and hence runner tag) via a
repository variable SBSIGN_ENVIRONMENT, so that forks do not attempt
to start jobs on a non-existent self-hosted runner.

Signed-off-by: Michael Brown <mcb30@ipxe.org>