Trigger AWS Lambda tests on label

[sentrivana]

Our AWS Lambda test suite currently doesn't run properly on external contributor PRs because it needs access to repo secrets, which it currently doesn't have. This PR adds a label to grant access to the secrets, which is invalidated upon any new code changes.

How it works

For the AWS Lambda test suite (and any future test suites that need access to GH secrets):

• add a new check-permissions job that runs before all test jobs
  • the check-permissions job runs a Python script (taken from here) that finishes with an error code if the PR was not made by someone with write permissions and there is no Trigger: tests using secrets label on the PR
  • additionally, the job removes the Trigger: tests using secrets label on any code changes before any code from the PR is checked out
• make all test jobs depend on check-permissions finishing successfully
• run the workflow on pull_request_target (with access to secrets)

Copied and adapted the approach from sentry: https://github.com/getsentry/sentry/blob/master/.github/workflows/getsentry-dispatch.yml

The test AWS account has been stripped down of all unnecessary permissions: #2493 (comment)

Since the workflow is now on pull_request_target it won't run until we've actually merged this PR. I tried the changes out in a test repo.

Supersedes #2493

[sentrivana]

cc @asottile-sentry @mdtro in case you guys want to/have time to double check

[asottile-sentry]

otherwise looks good

[asottile-sentry]

I would maybe make this more explicit that it's sensitive tests requiring secrets

[sentrivana]

Changed to "Trigger: tests using secrets" (open to better names)