Switch to managed workload identity pool

[haydentherapper]

Description

The current workload identity pool, used to authenticate the GitHub Action so that it can access GCP resources, is managed manually on the staging and production projects. We have a newer workload identity pool that is managed via Terraform and monitored by the oncall rotation. We should switch over to this, which will require coordination with oncall to make sure the WLI pool is set up properly to support token exchanges with this repo and that the service account has access to the root-signing GCP resources.

[haydentherapper]

Leaving this open as a reminder, but this requires no work at this time. Blocked by #929: Once we switch over to TUF-on-CI to manage this repo, we'll also switch to a new KMS key, which will be accessed by a service account tuf-gha where workload identity federation is managed through the managed workload identity pool.

[haydentherapper]

Note there are a bunch of WLI pools in use in this repo currently.

• A managed WLI pool to grant impersonation for managed service accounts. This will be used going forward to grant access to SAs that manage KMS and GCS
• A WLI pool in the TUF KMS key project. This project will get cleaned up after proposal: Use TUF-on-CI to maintain root-signing #929
• A WLI pool in the production project for GCS access, which will be removed once we switch over to the new tuf-gha SA

[haydentherapper]

This is done for prod as of #1111. Staging will happen once we switch management of the GCS bucket over to sigstore/root-signing-staging, which is tracked elsewhere.