Supporting SSH CAs for access to EMU user namespace repositories

[github-product-roadmap]

Summary

SSH CAs allow administrators to mint SSH keys that function as a user's credentials, with additional restrictions such as time-bounding the access. These keys are only good against the enterprise's data.

Traditionally, "the enterprise's data" is just repos that belong to orgs that belong to the enterprise. We wouldn't want an admin able to mint a key that can access a user's personal repos.
But in EMUs, the user account is an enterprise resource, and both admins and users expect that when they have a key that's good for the Foo Enterprise as user Bar, it's good for everything in the enteprise, including user Bar's user namespace repos.

With this change, those keys are now good for user namespace repos. This will be a default change, without the option to opt-out of the change in scoping.

[ankneis]

🚢 This has shipped: https://github.blog/changelog/2024-03-29-ssh-ca-support-for-enterprise-owned-user-accounts/

Leaving open to track for GHES release!

[ankneis]

This shipped with GHES 3.14: https://docs.github.com/en/enterprise-server@3.14/admin/release-notes