Set up auto-syncing of edge branch from upstream (with branch locked for everything else)

[patcon]

Resolves #53

This adds a new workflow to run regularly and pull commit from upstream edge and push them to our edge, so it stays up-to-date. It also documents some associated settings changes in repo.

The hard part was making it so that a workflow could push to a protected branch, but no regular users can without changing settings, even ones who are admin on the repo (who might easily do so by accident).

Starting review with the workflow file will be most helpful, as it explain context on the rest :)

Of note:

• admins can't push any new refs to branch (ONLY the workflow can push, via its repo deploy key)
• making any changes to edge will require adding a bypass to the branch protection rule (for admin users)

Todos

• write the workflow
• documented repo ruleset config in code: .github/config.yml
• test the workflow
  • that admin can't push from workstation via ssh key
  • that admin personal access token can't push
  • that workflow github_token can't push
  • that deploy key in workflow CAN push
• remove classic branch protection rule
• create new branch protection ruleset (doc'd in code)
• add repo secret EDGE_SYNCER_KEY_PRIV
  • see: https://github.com/CivicTechTO/polis/settings/secrets/actions
• add public SSH deploy key to repo edge-syncer
  • see: https://github.com/CivicTechTO/polis/settings/keys
• update final docs mentions from patcon/polis to CivicTechTO/polis repo

[patcon]

Closing this one because I think the code might be demonstrable in the UI if I create it from this repo

[NewJerseyStyle]

I assume branch 53-sync-from-upstream is no longer needed and is safe to be removed?