feat(deploy-report-pages)!: replace GitHub Pages with GCS for Playwright reports

[mckn]

Summary

• Replaces the gh-pages branch push with uploads to a Grafana-managed Google Cloud Storage bucket via Workload Identity Federation, eliminating the broad contents: write permission.
• Reports are restricted to Grafana Google Workspace accounts (bucket IAM) and served via authenticated storage.cloud.google.com links.
• Retention is now handled by a GCS object lifecycle rule (90 days) — cleanup-folders.sh is deleted and retention-days/pages-branch inputs are removed; bucket (required) replaces them.
• build-pr-comment.js constructs links using the new REPORT_BASE_URL env var (pointing directly at index.html since GCS doesn't auto-serve directory indexes) and appends a note that reports require a Grafana sign-in and are retained for 90 days.
• The action uses grafana/shared-workflows/actions/login-to-gcs (WIF, keyless) and google-github-actions/upload-cloud-storage, namespacing objects under {bucket}/{owner}/{repo}/{YYYYMMDD}/{pr-or-run-id}/.

Test plan

• Run CI on a PR in a test plugin repo (in the grafana org) to generate matrix artifacts
• Trigger the publish job and confirm objects land at gs://<bucket>/<owner>/<repo>/<YYYYMMDD>/<pr>/...
• Confirm PR comment renders with storage.cloud.google.com/.../index.html links and the 90-day retention note
• Open a report link signed in as a Grafana Workspace member → loads; signed out → 403
• Confirm no contents: write permission is needed anywhere

Related PRs

• https://github.com/grafana/deployment_tools/pull/623797

[sunker]

This looks very promising, nice work!

Some high level feedback from my side:

• This will not work for the community. Given this has not received much community traction, I think it's okay if we drop community support but in that case we should probably move the actions to plugin-ci-workflows?
• The action names no longer makes sense. I'd change the root folder name from playwright-gh-pages to playwright-reports and deploy-report-pages to publish-report
• github-token is now unused after dropping peaceiris so we can remove it
• The action should default to a shared internal bucket with the right config for internal teams. Ideally it serves the report as a proper static site AND is browsable only by Grafana users. IIRC GCS can't do both at once as static website hosting requires the bucket to be public. Maybe we can route through the load balancer and protect the bucket with IAP?

[mckn]

Closing in favor of grafana/plugin-ci-workflows#819