The podman in `ubuntu-latest` environment apparently is too old to
support `--userns=keep-id:uid=1000,gid=1000`. Employ workaround in GHA
workflow and in `prebuild.sh` check.
Signed-off-by: Chris Evich <cevich@redhat.com>
As an effort to catch potential secrets and/or credential leaks, add a
github-actions workflow which is untouchable in a PR context.
To additionally guard against accidents, also check recent branch
history. This is especially important on newly created
release-branches, which may begin with content from who-knows-where.
Finally, since the new workflow bypasses PR-level changes to the scanner
config and base-line. Add a Cirrus-CI invocation of the scanning tool
to help catch tool-breaking changes from being merged.
Signed-off-by: Chris Evich <cevich@redhat.com>