ci: Secure GitHub Actions with separate write step

[shrink]

Addresses #48

The current workflows were written without considering the security implications, however GitHub are now introducing more security by default which means that people who don't consider the security implications are protected from their mistakes: therefore... these workflows no longer work.

This updated workflow separates out the safe build job (which can be run for all Pull Requests without concern) from the unsafe push job (which requires write permissions) so that we can provide meaningful build status reports on Pull Requests and continue to enable easy pushing of builds to the GitHub Container Registry.

• Application is built and test report artifacts are extracted as part of the same unprivileged job
• Build workflow runs on all branches and pull requests
• Docker image is pushed to registry when actor has write permissions
• Docker image is tagged with short (sha-xxxxxxxx) and branch name

[shrink]

Actually, turns out there's still an issue with GITHUB_TOKEN pushing to the Container Registry so for now it'll continue using the PAT which is much less than ideal -- hopefully GITHUB_TOKEN will be fixed soon :-)