FR: Using a deploy key instead of OAuth token

[jinnatar]

Description

What

Ability to provide a repo specific deploy key which is used to push to the target branch.

Why

• When pushing cross repo, a PAT seems to be the only option.
• Granular PATs are narrow and secure, but enforce expiry and have no programmatic renewal or trust relationship even within GHA. This makes them Annoying and prone to keeling over without manual toil.
• Legacy PATs can be set to not expire, but are much more powerful than is needed here.
• A write enabled deployment key would provide granularity to just one repo but with no enforced expiry. This could hit a security sweet spot.