GHA: test TODOs from earlier

[vszakats]

---

via #94:

A bunch of ideas I did not implement in this PR:

• move logins closer to push & sign. To avoid being logged-in while building.
• think about a way to test the other steps in a PR (perhaps in a PR fork it'd work with the secrets set).
• replace redhat-actions/podman-login action with podman login command for ghcr.io logins.
  They do the same, though our command invocation is a bit more secure.
  The action logs out, which is a plus, though it's already not done for podman/docker acounts.
  It'd allow dropping this actions dependencies and easier to replicate the logic locally.
• maybe replace ghcr.io user github.actor with github.repository_owner (=curl)? GH token works with both. [WORKS, but no advantages ATM, with a chance of breaking things, so SKIP.]
• maybe replace sigstore/cosign-installer action with Linuxbrew. not pinned, with its upsides and downsides.
  To allow dropping this actions dependencies and easier to replicate the logic locally.
  With this removed the Settings / Actions / General exceptions could be deleted.
• add newlines between job steps? My editor gets syntax coloring wrong without one after multi-line items (selfish reason! though perhaps it improves readability. It's also done in all other workflows within the project)
• perhaps push and sign in a single step?
• Fix this?:

> Run echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-dev-debian:master
WARNING: Image reference ghcr.io/curl/curl-container/curl-dev-debian:master uses a tag, not a digest, to identify the image to sign.
    This can lead you to sign a different image than the intended one. Please use a
    digest (example.com/ubuntu@sha256:abc123...) rather than tag
    (example.com/ubuntu:latest) for the input to cosign. The ability to refer to
    images by tag will be removed in a future release.

Signing artifact...

https://github.com/curl/curl-container/actions/runs/20120515214/job/57739492278