feat(RELEASE-1387): use trusted artifacts

- in an effort to move away from PVCs, we are trying
  trusted artifacts based on:
  https://github.com/konflux-ci/build-trusted-artifacts/tree/main
- tasks that have been updated now support 2 modes:
  - PVC based workspaces
  - Trusted artifacts with emptyDir workspaces

Summary:
- collect-data, reduce-snapshot, apply-mapping now support trusted
  artifacts mode
- pipelines that use apply-mapping have had the workspace used for
  the apply-mapping task renamed to be in line with other tasks.
- CI changes:
  - it now attempts to detect if a Trusted Artifacts based task
    has been changes and runs the tests with trusted artifacts enabled.
  - tests now create an on-local-cluster registry.

Signed-off-by: Scott Hebert <scoheb@gmail.com>

.github/resources/cert-manager/kustomization.yml

@@ -0,0 +1,46 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.yaml
+
+patches:
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/resources
+        value:
+          requests:
+            cpu: 90m
+            memory: 90Mi
+          limits:
+            cpu: 120m
+            memory: 120Mi
+    target:
+      kind: Deployment
+      name: cert-manager
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/resources
+        value:
+          requests:
+            cpu: 90m
+            memory: 90Mi
+          limits:
+            cpu: 120m
+            memory: 120Mi
+    target:
+      kind: Deployment
+      name: cert-manager-cainjector
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/resources
+        value:
+          requests:
+            cpu: 90m
+            memory: 90Mi
+          limits:
+            cpu: 120m
+            memory: 120Mi
+    target:
+      kind: Deployment
+      name: cert-manager-webhook

.github/resources/cluster-issuer/kustomization.yml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - self-signed-cluster-issuer.yaml

.github/resources/cluster-issuer/self-signed-cluster-issuer.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: self-signed-cluster-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: selfsigned-ca
+  namespace: cert-manager
+spec:
+  isCA: true
+  commonName: selfsigned-ca
+  secretName: root-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: self-signed-cluster-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ca-issuer
+  namespace: cert-manager
+spec:
+  ca:
+    secretName: root-secret

.github/resources/registry/certificate.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: registry-cert
+  namespace: kind-registry
+spec:
+  isCA: true
+  subject:
+    organizations:
+      - konflux
+  dnsNames:
+    - localhost
+    - registry-service.kind-registry
+  issuerRef:
+    kind: ClusterIssuer
+    name: ca-issuer
+  secretName: local-registry-tls

.github/resources/registry/kustomization.yml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - registry.yaml
+  - certificate.yaml
+  - trust-bundle.yaml

.github/resources/registry/registry.yaml

@@ -0,0 +1,65 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kind-registry
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    run: registry
+  name: registry
+  namespace: kind-registry
+  annotations:
+    ignore-check.kube-linter.io/no-read-only-root-fs: "This component requires write permissions"
+    ignore-check.kube-linter.io/run-as-non-root: "This component requires root permissions"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      run: registry
+  template:
+    metadata:
+      labels:
+        run: registry
+    spec:
+      containers:
+        - name: registry
+          image: registry:2
+          resources:
+            requests:
+              cpu: 10m
+              memory: 50Mi
+            limits:
+              cpu: 100m
+              memory: 250Mi
+          ports:
+            - containerPort: 5000
+          env:
+            - name: REGISTRY_HTTP_TLS_CERTIFICATE
+              value: "/certs/tls.crt"
+            - name: REGISTRY_HTTP_TLS_KEY
+              value: "/certs/tls.key"
+          volumeMounts:
+            - name: certs
+              mountPath: /certs
+      volumes:
+        - name: certs
+          secret:
+            secretName: local-registry-tls
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: registry-service
+  namespace: kind-registry
+spec:
+  type: NodePort
+  selector:
+    run: registry
+  ports:
+    - protocol: TCP
+      nodePort: 30001
+      port: 443
+      targetPort: 5000

.github/resources/registry/trust-bundle.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: trust.cert-manager.io/v1alpha1
+kind: Bundle
+metadata:
+  name: trusted-ca
+spec:
+  sources:
+    - useDefaultCAs: true
+    - secret:
+        name: "root-secret"
+        key: "ca.crt"
+  target:
+    configMap:
+      key: "ca-bundle.crt"
+    namespaceSelector: {}

.github/resources/trust-manager/kustomization.yml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - trust-manager.yaml