CI: Allow upstream caller to run pre build script

[rical]

Description

Allow a workflow caller to run pre-build scripts though a workflow call variable. This is potentially dangerous as code can be injected here. If for example a malicious actor wants to run there C2 code in the context of someone else they could perhaps inject it here. I assume this is protected by the same mechanism as the workflow files themself. I.e. github users untrusted to the Infix org won't be able to trigger workflows before being explicitly allowed to do so.

This patch also adds a checkout secret. This allows upstream callers to fetch there own spin / fork though the infix workflows, if they provide a checkout token with the correct permissions to do so.

This pre-build script is currently used by (staged) upstream CI workflows.

Checklist

Tick relevant boxes, this PR is-a or has-a:

• Bugfix
  • Regression tests
  • ChangeLog updates (for next release)
• Feature
  • YANG model change => revision updated?
  • Regression tests added?
  • ChangeLog updates (for next release)
  • Documentation added?
• Test changes
  • Checked in changed Readme.adoc (make test-spec)
  • Added new test to group Readme.adoc and yaml file
• Code style update (formatting, renaming)
• Refactoring (please detail in commit messages)
• Build related changes
• Documentation content changes
  • ChangeLog updated (for major changes)
• Other (please describe):

[troglobit]

Looks a bit scary, indeed, but we discussed it a bit AFK, weighed the options and possible attack vectors, and decided to approve it.