[IGNORE] add snyk workflow to regenerate lockfile

[jgbernalp]

Description

This PR creates a new GitHub workflow to allow to regenerate the lockfile when a PR is coming from a snyk branch. It amends the commit with DCO signing and the package-lock.json file changes.

Checklist

• Pull request has a descriptive title and context useful to a reviewer.
• Pull request title follows the [<catalog_entry>] <commit message> naming convention using one of the
  following catalog_entry values: FEATURE, ENHANCEMENT, BUGFIX, BREAKINGCHANGE, DOC,IGNORE.
• All commits have DCO signoffs.

[andreasgerstmayr]

I would avoid any 3rd-party GitHub action in our CI to avoid any possible pipeline compromise.

[andreasgerstmayr]

(use the regular git cli, or gh)

[andreasgerstmayr]

I'm surprised that snyk creates broken PRs, maybe it has a setting somewhere to regenerate the lockfile?

[jgbernalp]

I'm surprised that snyk creates broken PRs, maybe it has a setting somewhere to regenerate the lockfile?

I was too. But it seems workspaces are not fully supported... Or we ar missing to check a checkbox: https://docs.snyk.io/supported-languages-package-managers-and-frameworks/javascript/git-repositories-and-javascript

[andreasgerstmayr]

Recent PRs update the lockfile now: perses/perses#3152

However, the DCO check still fails. As the snyk bot is required by CNCF, and the DCO bot also (I guess), there should be a simple solution for that (configure the DCO bot to ignore snyk commits, or configure the snyk bot to add a commit sign-off).