Add LABEL_ALLOWLIST_REGEX to pipeline

Add a LABEL_ALLOWLIST_REGEX CI variable to be used on a per-project (or vendor project group) basis. Most repos will have this unset.

A specific project will need to set a value such as foo|bar|com\.example\..* if they need this feature.

Current Behavior

Vendors cannot use custom labels in pipelines.

Purpose

Allow vendors to use custom labels like com.example.bar. We do not want people to set labels like description, they should still be using the OCI label. This configuration option would be set as a CI variable and restricted to Maintainers only.

Plan

Possible implementation, add something like this when the schema is loaded in both metadata.py and hardening_manifest_yaml/generate.py:

with schema_path.open("r") as s:
    schema_s = s.read()
schema = json.loads(schema_s)

regex = os.environ.get("LABEL_ALLOWLIST_REGEX", None)
if regex:
    schema["definitions"]["labels"]["additionalProperties"] = True
    schema["definitions"]["labels"]["patternProperties"] = {
        regex: {
            "$ref": "#/definitions/printable-characters-without-newlines"
        }
    }

Acceptance Criteria

It works.