fix(login-to-gar): replace hardcoded opt dir with runner temp env var (#1001)

* Replace hardcoded /opt directory with RUNNER_TEMP

Non-root users are not allowed to write in the /opt directory.
Instead we leave it to github runners to create stuff in a temp directory
that every user can access.

Note that we are allowing zizmor to ignore a github env error.
This is because the RUNNER_TEMP variable is controlled just by GITHUB_ACTIONS and
is not accessible to anyone else

* Reword

* Remove second zizmor ref

Author: dsotirakis

actions/login-to-gar/action.yaml

@@ -64,7 +64,7 @@ runs:
       shell: bash
       env:
         DOCKER_CREDENTIAL_GCR_VERSION: "v2.1.28"
-      run: |
+      run: | # zizmor: ignore[github-env]
         set -ex
 
         # Install docker-credential-gcr:
@@ -102,9 +102,11 @@ runs:
 
         if [[ ! -z ${tag} ]]; then
           echo "Installing docker-credential-gcr @ ${tag} for ${os}/${arch}"
-          mkdir -p /opt/docker-credential-gcr
-          curl -fsL "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/${tag}/docker-credential-gcr_${os}_${arch}-${tag:1}.tar.gz" | tar xzf - -C /opt/docker-credential-gcr docker-credential-gcr
-          echo "/opt/docker-credential-gcr" >> $GITHUB_PATH
+          mkdir -p "${RUNNER_TEMP}/docker-credential-gcr"
+          curl -fsL "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/${tag}/docker-credential-gcr_${os}_${arch}-${tag:1}.tar.gz" | tar xzf - -C "${RUNNER_TEMP}/docker-credential-gcr" docker-credential-gcr
+          # Ignoring the github-env warning - docker-credential-gcr binary must be on the PATH for credHelpers in /.docker/config.json to work.
+          # We are only adding a path to a binary that was just downloaded in RUNNER_TEMP (controlled by GitHub Actions).
+          echo "${RUNNER_TEMP}/docker-credential-gcr" >> $GITHUB_PATH
         fi
     - name: "Configure GCP Artifact Registry"
       if: ${{ steps.auth_with_service_account.outputs.access_token == '' }}