Add policy for GH actions

[svevang]

Seeing augury github actions breaking with:
https://github.com/PRX/augury.prx.org/actions/runs/21445062178/job/61758391280

#2 [internal] load metadata for docker.io/library/ruby:3.3.7-slim-bookworm
#2 ERROR: failed to copy: httpReadSeeker: failed open: unexpected status code https://registry-1.docker.io/v2/library/ruby/manifests/sha256:57e840e9f67058b4901c94f6f61ab979b4c3d96717a80162816971a681ca3bc9: 429 Too Many Requests - Server message: toomanyrequests: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit

The answer is to log into the docker hub (like in the buildspec.yml) so we do not get rate limited. But we need to get at the docker credentials.

This PR sets up the PRX-GHA-AccessRole role so hopefully it can read SSM values for the docker creds.

Then we can do something like this in the github actions:

      - name: Login to Docker Hub
        run: |
          DOCKERHUB_USERNAME=$(aws ssm get-parameter --name /prx/DOCKERHUB_USERNAME --query Parameter.Value --output text)
          DOCKERHUB_PASSWORD=$(aws ssm get-parameter --name /prx/DOCKERHUB_PASSWORD --query Parameter.Value --output text --with-decryption)
          echo $DOCKERHUB_PASSWORD | docker login --username $DOCKERHUB_USERNAME --password-stdin

[farski]

Would it make more sense to add those credentials to GitHub as organization-level secrets? That may be a more native way of making them available to Actions

[svevang]

I think you're right, it is probably the "actions way". But I had a nagging thought that if we ever change the dockerhub creds we'd have to grep around and change it here too. That said, I'm not super excited about opening up the read surface on SSM (though I do think this is a pretty limited change), so .... github secrets.

Honestly, I'm hoping that this rust build goes away at some point fairly soon anyways, if we can get rid of that vendored build of pola.rs.