Add initial GitHub Actions tests of behavior/output

[tianon]

(#6, take 2)

[tianon]

To unpack what I've done here a little:

• copied library/notary and library/docker verbatim (so they're pinned / reproducible)
• copied the couple .external-pins/*.sh scripts we need to accomplish image pinning
• explicitly pinned all parents of notary, docker:cli, docker:dind, and docker:windowsservercore (except golang:1.19-alpine3.16, which is EOL and thus should not be updated and is a perfect test of the "parent neither pinned nor in our set of things to build" edge case)

All these have valid builds, so even the oistaging lookups succeed correctly and as expected.

Thus, we're able to have "canonical" versions of sources.json and builds.json which are fully reproducible that get committed so they can be compared against in a re-run.

I haven't tested it directly, but this should be enough to even catch what I was describing over in #4 👀

[yosifkit]

LGTM

[whalelines]

Why only on Sunday?

[tianon]

I put something like this in most of my GHA scripts as a fallback "in case it hasn't run this week, do a run on Sunday when nobody's likely to be looking at it to make sure it's still green" because almost everything I write ends up having to be integration tests (and thus prone to breaking due to external factors that don't necessarily create a commit in the repository).

If GHA had a way to say "run this at a random time Soon if it hasn't run in 14 days" or something like that, I'd happily switch to it. 😅

[whalelines]

What does the {0} do here?

[whalelines]

Found it https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#custom-shell

[whalelines]

Aren't these versions out of support?

[tianon]

Alpine 3.16 is still supported (it's 3.15 that just went EOL), but pinning like this ensures our tests are reproducible (we'll be treating alpine:3.16 as sha256:e4cdb7d47b06ba0a062ad2a97a7d154967c8f83934594d9f2bd3efa89292996b in the future for the purposes of these tests even if it's updated).