feat(github_actions_usage): Prisma migration for db user

Moves the manually applied SQL script to create the `github_actions_usage` user,
and apply permissions, to a Prisma migration, so that it gets automatically applied.

packages/common/prisma/migrations/20240614143000_github_actions_usage_user/migration.sql

@@ -0,0 +1,21 @@
+DO
+$do$
+    BEGIN
+        -- Create the `github_actions_usage` user if it doesn't exist
+        IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE  rolname = 'github_actions_usage') THEN
+            CREATE USER github_actions_usage WITH LOGIN;
+        END IF;
+
+        -- The rds_iam role is created by the RDS IAM extension, which is not available in DEV
+        IF EXISTS (select * from pg_roles where rolname='rds_iam') THEN
+            GRANT rds_iam TO github_actions_usage;
+        END IF;
+
+        GRANT USAGE ON SCHEMA public TO github_actions_usage;
+        GRANT SELECT ON public.github_workflows TO github_actions_usage;
+        GRANT SELECT ON public.github_repositories TO github_actions_usage;
+
+        -- The github_actions_usage user owns this table, so can do full CRUD operations
+        GRANT ALL ON public.guardian_github_actions_usage TO github_actions_usage;
+    END
+$do$;

sql/ci.sql

@@ -27,5 +27,27 @@ INSERT INTO audit_results (
 );
 SELECT * FROM audit_results LIMIT 1;
 
+-- The user github_actions_usage...
+SET ROLE github_actions_usage;
+
+-- ...should be able to read from these tables
+SELECT * FROM github_workflows LIMIT 1;
+SELECT * FROM github_repositories LIMIT 1;
+
+-- ...and read/write to the table guardian_github_actions_usage
+INSERT INTO guardian_github_actions_usage (
+    evaluated_on
+    , full_name
+    , workflow_path
+    , workflow_uses
+) VALUES (
+    NOW()
+    , 'guardian/service-catalogue'
+    , '.github/workflows/ci.yml'
+    , ARRAY['guardian/actions-riffraff@v4']
+);
+SELECT * FROM guardian_github_actions_usage LIMIT 1;
+
+
 -- Switch back to the original user
 RESET role;