tuf-on-ci migration: Enable publishing to production

[jku]

Switch on the publishing to production GCS bucket (which was left off in the tuf-on-ci migration for some manual testing)

• The preprod tests (TUF smoke test, sigstore client tests) are green. This covers cosign, sigstore-go, sigstore-python, sigstore-java, sigstore-js
• We have manually tested a few clients, including cosign v2.2.0
• this will unfortunately break sigstore-rs temporarily (root-signing metadata is incompatible with current sigstore-rs #1251)
• There is no rush but a bit of urgency: on-call starts getting alerts on Wednesday (because of timestamp that expires on 2024-09-06).

Fixes #1340

Asking for reviews from at least @haydentherapper and @kommendorkapten

[jku]

marking draft just to make sure we don't move fast and break things -- I believe this PR is ready and we can merge but let's make sure there is a consensus.

Also sigstore/sigstore-probers#270 should preferably be merged before this

[jku]

One more detail: enabling tuf-on-ci will stop publishing non-versioned root, snapshot and targets:

• this is planned deprecation: no-one should be using these files
• load balancer logs show a number of requests for non-versioned metadata (20k per day) but our understanding is that these are old cosign versions in CI runs that have been consistently failing for a long time already:
  • cosign used to download these non-versioned files for "debug purposes" after the actual, versioned, metadata update had already failed: this seems to be at least an overwhelming majority of the non-versioned requests
  • these "debug request" use the same default "go-http-client" user agent as cosign normally does but they are identifiable because of the unusual order of requests