Add a template for SSH-confirmed jobs

Add a template for SSH-confirmed jobs

Add a YAML template for jobs that require an SSH connection to a
dedicated, locked-down runner for signing off on sensitive operations
(e.g. signing, publishing).

These jobs all follow a similar scheme:

 1. Runner prepares the necessary files in a well-known location (/tmp).
 2. Runner generates a shell script to be run by an authorized user.
 3. Runner sleeps while waiting for a signal that the script was run.
 4. Authorized user logs in to the runner over SSH and runs the script.
 5. Runner collects the relevant files and logs as job artifacts.

One additional complication is that each of the above steps needs to be
carried out under the assumption that GitLab Runner is running under a
different user account than the one used for logging in over SSH,
necessitating careful file permission handling.

Having a YAML template for jobs that need to follow the above scheme
significantly improves readability and reuse as each job only needs to
define (via the "variables" YAML key):

  - SSH_SCRIPT_RUNNER_PRE: the code the runner should execute before an
    authorized user logs in over SSH (typically: setting up files in a
    well-known location),

  - SSH_SCRIPT_CLIENT: contents of the shell script to be run by an
    authorized user,

  - SSH_SCRIPT_RUNNER_POST: the code the runner should execute after an
    authorized user runs the script over SSH (typically: artifact
    collection and cleanup).

(cherry picked from commit c61767453de055673538da826f8fab8537c8ed7e)