Add support for proxying services via GHA job services

[fheinecke]

What would you like Teleport to do?

GitHub Actions supports running container images in the background to provide services to a workflow job. I would like to be able to proxy services behind Teleport using this GHA feature. Here's an example of what a workflow would look like:

jobs:
  publish:
    services:
      release-service:
        image: public.ecr.aws/gravitational/tbot-distroless:15.3.4
        env:
          TELEPORT_AUTH_SERVER: <auth server address>
          TELEPORT_BOT_TOKEN: <token>
        ports:
          - 443:8000
    steps:
      - name: Access the service
        curl https://localhost:8000/some/service-path

What problem does this solve?
It makes it easier to access services behind Teleport within GHA workflows. Additionally, this avoids writing the cert/key to the disk, which reduces the chance that they get leaked.

There are two technical reasons why this doesn't work today:

• GHA does not support specifying a command/arg for a service, so the proxy subcommand can't be specified
• tbot needs to authenticate with the Teleport control plane and/or service prior to starting the proxy. This would require an additional step which GHA does not support.

If a workaround exists, please include it.

Install tbot, authenticate with Teleport, write the certs to disk, and point the local tool at the certs (if supported).