Create GitHub workflow to act as PR watchdog; protect the release pipelines

[kltm]

In order to both better protect snapshot, release, and maybe master, we should create a .travis.yml that

• checks to make sure that Jenkinsfile still has the verbatim watchdog block
• performs similar checks to the current watchdog
• does additional checks that should be easy in back or python, such as ensuring that Zenodo and AWS targets (all publication targets) do not seem coherent or do not exist; possibly enforce a rule such as "null"

[kltm]

This would improve the software and data developer experience by lowering the bar of knowledge needed to develop the pipeline.

In addition, we may want to also "lock down" the snapshot and release pipelines to just a few individuals.

[kltm]

New best way to do this:

A simple hard-coded paragraph check that the following text exists in the Jenkinsfile as an as-is template:

    stages {
	// Very first: pause for a few minutes to give a chance to
	// cancel and clean the workspace before use.
	stage('Ready and clean') {
	    steps {

		// Check that we do not affect public targets on
		// non-mainline runs.
		script {
		    if( BRANCH_NAME != 'master' && TARGET_BUCKET == 'go-data-product-experimental'){
			echo 'Only master can touch that target.'
			sh '`exit -1`'
		    }else if( BRANCH_NAME != 'snapshot' && TARGET_BUCKET == 'go-data-product-snapshot'){
			echo 'Only master can touch that target.'
			sh '`exit -1`'
		    }else if( BRANCH_NAME != 'release' && TARGET_BUCKET == 'go-data-product-release'){
			echo 'Only master can touch that target.'
			sh '`exit -1`'
		    }
		}

		// Give us a minute to cancel if we want.
		sleep time: 1, unit: 'MINUTES'
		cleanWs()
	    }
	}

The only way to bypass this would be by research and actively making code to undermine it.

[kltm]

Updated to reflect GH and lack of travis.