Sign bot commits in composite actions (use GitHub API instead of local git)

[tolzhabayev]

Part of grafana/grafana-catalog-team#951 — commit signing for the bot/automation commits made by this repo's composite actions.

These actions commit as grafana-plugins-platform-bot[bot] using local git, which produces unsigned commits. A GitHub App can't hold a GPG/SSH key, so the only way to get a Verified signature is to commit via the GitHub API (createCommitOnBranch / planetscale/ghcommit-action). Because these are reusable actions, the unsigned commits propagate to every consumer plugin repo.

Action	Mechanism	Priority
build-plugin/action.yml	git commit + git push origin HEAD:${DEFAULT_BRANCH} — direct push to the consumer's default branch	P0 — lands unsigned on a protected branch; would fail "Require signed commits"
bundle-types/action.yml	git commit + push to grafana/plugin-extension-types (cross-repo)	P0/P1
create-plugin-update/action.yml	pushes a PR branch (commits from create-plugin update)	P1 — PR → squash-merge covers the default branch
playwright-gh-pages/deploy-report-pages/action.yml	git commit + git push -f to the gh-pages branch	Low — content branch, not protected

Fix = replace local git commit/git push with API-based committing. Same investigation/context as grafana/plugin-ci-workflows#774.