applications.yaml workflow updates

[DevopsGoth]

• Remove possible vuln with pull_request_target (investigating this)
• remove ubuntu-20.04 refs (those runners are end of life)
• shuffled where aws secrets are used to ensure they are only there for steps that need them

PR checklist:

• Test coverage for the proposed changes
• PR description contains example output from repl interaction or a snippet from unit test output
• New builtins have a FV translation
• Documentation has been (manually) updated at https://docs.kadena.io/pact
• Any changes that could be relevant to users have been recorded in the changelog
• In case of changes to the Pact trace output (pact -t), make sure pact-lsp is in sync.

Additionally, please justify why you should or should not do the following:

• Confirm replay/back compat
• Benchmark regressions
• (For Kadena engineers) Run integration-tests against a Chainweb built with this version of Pact

---

• To see the specific tasks where the Asana app for GitHub is being used, see below:
  • https://app.asana.com/0/0/1209364538790824

[DevopsGoth]

I want to test the underlying workflow before this is merged

[DevopsGoth]

Per https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

We should not be vulnerable just for using a pull_request_target trigger as we do not check out the PR head in this workflow. It was, however, not needed.

Ubuntu 20.04 runners will be turned off next month and thus have been removed from here, as they will be from all Kadena workflows over the next few weeks.

[rsoeldner]

Removing Z3 should break some tests. I would just go ahead and suspend CI entirely for this repo. @emilypi what do you think?

[emilypi]

Approved with a comment

[emilypi]

@rsoeldner we'll archive this eventually, but i see no harm in keeping it alive until we get the go ahead.