This strengthens credential handling after our signing keys may have
been leaked in the [codecov.io breach](https://about.codecov.io/security-update/)
* pass only minimal credentials to each build step to avoid
exposing sensitive tokens to tools that don't need them
(like code coverage)
* removed encrypted credential files and replaced with environment-based
* allow full ci/cd including publishing artifacts from forks
* regenerated all passwords, tokens and service accounts
* do not install Google Cloud SDK on GHA - it's already there
* moved RPM signing to 'Stage And Publish Artifacts' phase
* generated new GPG signing key
See https://kopia.discourse.group/t/important-impact-of-codecov-io-security-issue-on-kopia-build-pipeline/377
* Dockerfile: specified reasonable defaults options for containerized kopia
* addressed pr comments, switched to gcr.io/distroless/static:nonroot
distroless has no executable code, so this requires KOPIA_PASSWORD
to always be provided via env, b/c distroless does not have
/bin/stty to disable TTY echo (we should not require that, BTW)
* site: added docker image documentation
* site: edited installation page and switched Download link to point at it.
Emphasized the use of package managers to download and keep Kopia up-to-date.
Added instructions for using Scoop on Windows.
Co-authored-by: Julio López
* goreleaser: added signatures to RPM binaries
Currently goreleaser does not support it, so we're overriding
signing script and signing all RPMs that it produces.
Also changed goreleaser parameters to only publish binaries
when running on linux/amd64.
* build: added automatic publishing of RPMs to a YUM repository
Also fixed RPM file names to match local conventions.
Add sftp and webdav as repositories to "Getting started" documentation page, "Setting Up Repository" chapter.
Add repositories list and usage examples to doc.
This orchestrates building HTMLUI and main binary, only uses built-in shell script and avoids having any dependencies on Unix tools. Latest go and npm are required.
