Avoid using GITHUB_TOKEN for PR creation/approval

[xopham]

Requirements for Contributing to this repository

• Fill out the template below. Any pull request that does not include enough information to be reviewed in a timely manner may be closed at the maintainers' discretion.
• The pull request must only fix one issue, or add one feature, at the time.
• The pull request must update the test suite to demonstrate the changed functionality.
• After you create the pull request, all status checks must be pass before a maintainer reviews your contribution. For more details, please see CONTRIBUTING.

What does this PR do?

Replace usage of GITHUB_TOKEN for creation of PRs by dd-octo-sts to allow us to de-activate the insecure setting to allow the GITHUB_TOKEN to create/approve PRs.

Description of the Change

• added a dd-octo-sts trust policy
• adjusted affected workflows
• removed an unneeded permission

Alternate Designs

none

Possible Drawbacks

none

Verification Process

can only be tested via dispatch on default branch

Additional Notes

Release Notes

Review checklist (to be filled by reviewers)

• Feature or bug fix MUST have appropriate tests (unit, integration, etc...)
• PR title must be written as a CHANGELOG entry (see why)
• Files changes must correspond to the primary purpose of the PR as described in the title (small unrelated changes should have their own PR)
• PR must have one changelog/ label attached. If applicable it should have the backward-incompatible label attached.
• PR should not have do-not-merge/ label attached.
• If Applicable, issue must have kind/ and severity/ labels attached at least.