ci(workflows): add system-file-changes workflow

[caugner]

Summary

Adds new system-file-changes workflow that fails when anyone who isn't an admin
or a BCD owner changes any file that isn't BCD JSON data or Markdown docs.

Prevents accidental or malicious changes, and ensures that these get noticed.

This is more relevant now with the PR Review Companion, which could lead to
reviewers no longer checking all changes on the "Files changed" tabs, especially
if the list of changes or changed files is long, and doesn't fit on the screen.

Test results and supporting details

Related issues

[github-actions]

Tip: Review these changes grouped by change (recommended for most PRs), or grouped by feature (for large PRs).

[Elchi3]

Makes sense to me.

I see the paths list contains an allow list. I guess this will mean that we will have to remember to add new folders to this file. Probably more safe than having to remember to add new system files to this check. So, I think this makes sense.

(In content this seems to be the other way around, you have to provide files/folders to block, see https://github.com/mdn/content/blob/main/.github/workflows/system-file-changes.yml)

[caugner]

I see the paths list contains an allow list. I guess this will mean that we will have to remember to add new folders to this file. Probably more safe than having to remember to add new system files to this check. So, I think this makes sense.

(In content this seems to be the other way around, you have to provide files/folders to block, see https://github.com/mdn/content/blob/main/.github/workflows/system-file-changes.yml)

Yes, I figured it's safer to use an allow list. Although we might want to update the approach for the content repos as well, it is slightly less critical, as we don't publish any artifact (like an npm package) from the content repo.