validate_secrets.yml: Restore ability to catch unsigned PLA, etc.

[billybooth]

Since adaa2a1, the validate secrets workflow has not been failing when the user has an unsigned Apple PLA or when the match secrets repository cannot be decrypted due to a bad match password.

This PR seeks to remedy those issues by restoring the ability of the validate secrets workflow to fail under those circumstances.

[billybooth]

Below is a failed build at 0188203 (i.e., dev). This one fails due to an unsigned PLA, but the validation workflow passes and no helpful annotation is surfaced:
https://github.com/billybooth/LoopWorkspace/actions/runs/19210575248

And here's a failed build run at 3741bfc (i.e, the PR branch). This one fails due to an unsigned PLA, but the validation workflow catches the problem and surfaces a helpful annotation:
https://github.com/billybooth/LoopWorkspace/actions/runs/19340532077

[billybooth]

@marionbarker, please re-run the validate_secrets workflow with a known bad MATCH_PASSWORD. Previously, fastlane was including the internal openssl error message with the signal phrase "bad decrypt", but that is no longer the case. We are now checking for this string, which has remained stable for the last 7 years.

[marionbarker]

I changed the base to a new branch: update_dev_to_3.9.3.

I will be collecting proposed changes to dev in this branch and then once ready, a PR from update_dev_to_3.9.3 will be used to update the dev branch (with the appropriate approvals from other developers).

[marionbarker]

Summary

When adding automatic certificate renewal, an inadvertent change was introduced that meant users were not notified they needed to sign a new developer license agreement.

In addition, the language in the fastlane log was modified so that an earlier check for a MATCH_PASSWORD failure no longer reported that error.

This modification fixes both of the short-comings to improve the browser build error checking capabilities.

Test

@billybooth already demonstrated that with this modification, a user who has not signed their updated license agreement is once again given the appropriate message in the annotations.

However, the language for an incorrect MATCH_PASSWORD previously used is no longer present in the fastlane log with the consequence that the desired error message is not reported.

Test Plan

1. Run create_certs to make sure all the secrets for the docs-test organization are valid
   • Do not rely on a passing indication, actually review the fastlane job
2. Modify the MATCH_PASSWORD to be incorrect
   • confirm the error message for dev branch does not provide the correct annotation
   • confirm the error message with the changes in this PR does provide the correct annotation
3. Restore the MATCH_PASSWORD, revoke the Distribution Certificate and ensure that nuke certs is called to prepare a new certificate (as needed following the annual certificate expiration)

branch	configuration	action	correct annotation?	result	link
dev	all secrets correct, valid Distr Cert	create certs	✅	success as expected	https://github.com/docs-test/LoopWorkspace/actions/runs/19485144019
dev-validate-secrets-regression-fix	all secrets correct, valid Distr Cert	create certs	✅	success as expected	https://github.com/docs-test/LoopWorkspace/actions/runs/19485222966
dev	incorrect MATCH_PASSWORD, valid Distr Cert	create certs	❌	success was claimed for validate secrets, but fastlane job inside validate_secrets failed with Couldn't decrypt the repo success was claimed for create certs with same error	https://github.com/docs-test/LoopWorkspace/actions/runs/19485302450
dev	incorrect MATCH_PASSWORD, valid Distr Cert	build loop	❌	run the build loop just to prove that the errors in the previous action are fatal	https://github.com/docs-test/LoopWorkspace/actions/runs/19485579336
dev-validate-secrets-regression-fix	incorrect MATCH_PASSWORD, valid Distr Cert	create certs	✅	this failed with the expected annotation in the validate_secrets fastlane job	https://github.com/docs-test/LoopWorkspace/actions/runs/19485666867
dev-validate-secrets-regression-fix	restore MATCH_PASSWORD, revoke Distr Cert	create certs	✅	success; ran nuke_certs as expected	https://github.com/docs-test/LoopWorkspace/actions/runs/19485747530

[marionbarker]

Approve from code review and test.
LGTM