sync-test: skip when required connector secret is empty

[robert-chiniquy]

Why

About two dozen connector testability PRs across the baton-* repos are stuck on the shared sync-test action. The action calls the connector binary, then uses baton grants + a jq --exit-status filter to assert a specific test grant exists.

When the connector's credentials env var isn't populated — because the org secret hasn't been provisioned for that repo yet, or the workflow ran from a fork — the binary runs but returns no grants, the jq filter exits non-zero, and the job fails. The PR author can't fix that from the code side, so the testability PRs sit indefinitely.

What this does

Adds an optional required-secrets input to actions/sync-test. It takes a comma- or whitespace-separated list of env var names. If any are empty when grant-revoke.sh starts, the action logs an ::notice:: and exits 0 instead of running the test.

- uses: ConductorOne/github-workflows/actions/sync-test@v3
  with:
    connector: ./baton-foo
    baton-entitlement: "role:owner:assigned"
    baton-principal: "user@example.com"
    required-secrets: BATON_FOO_TOKEN

Existing callers with no required-secrets input behave exactly as before.

Test plan

• Verified the bash-parameter-expansion logic handles both comma and whitespace separators, and exits 0 on the first empty var.
• Once merged + tagged, opt one stuck baton-* repo into required-secrets and confirm the test job skips cleanly with the credentials secret unset, and still runs when set.

Follow-ups (out of scope for this PR)

• Tag a new major (v3) once enough consumers are migrated, or backport to v2 if that's preferred.
• The longer-term answer is to point the test at a mock server using the new --base-url flag from the connector testability project — this PR just unblocks the queue in the meantime.