This handles trusted publishing for Shaka Packager to NPM without
tokens.
This also updates upload/download actions, and adds a filter on specific
artifacts downloaded to avoid conflicts that have arisen since the last
release.
Also updates the images used in the build matrix.
Issue shaka-project/shaka-player#9132
Because we used require() to read build-matrix.json, the file could be
replaced with build-matrix.json.js, allowing code injection into our CI
pipelines. This fixes this vulnerability by reading the JSON text with
the fs module, then explicitly parsing it, rather than relying on
require().
This also changes the location of the file, to match its location in
other projects.
Note that this workflow is not currently giving any elevated permissions
to users, so it is not currently possible to damage the repo through a
PR. But this might have been possible in the past, due to
organization-wide defaults for token permissions (recently fixed). No
evidence has been found of past exploit.
See also https://github.com/shaka-project/shaka-streamer/issues/216 and
https://github.com/shaka-project/static-ffmpeg-binaries/issues/57
