Revamp duckdb-wasm extensions CI

[carlopi]

CI on this PR is not actually checking anything, given the changed files are never invoked.

More proper test for this workflow is as follow:

• set this branch as main for a fork (I have done it temporarily for https://github/carlopi/duckdb)
• invoke the "DuckDB-Wasm Extensions" workflow (via WebUI or gh cli) on the fork, passing as parameters {'duckdb_ref' : 'v0.10.0', 's3_release' : false} (successful test run here: https://github.com/carlopi/duckdb/actions/runs/7912968453)
  here I would expect it should succeed, building the extensions, signing them with a fake key, setting up aws, and invoking aws s3 cp with --dryrun
  Sample of the log will be like (based on a past run):

autocomplete
(dryrun) upload: build/to_be_deployed/v0.10.0/wasm_eh/autocomplete.duckdb_extension.wasm.brotli to s3://duckdb-extensions/v0.10.0/wasm_eh/autocomplete.duckdb_extension.wasm
excel
(dryrun) upload: build/to_be_deployed/v0.10.0/wasm_eh/excel.duckdb_extension.wasm.brotli to s3://duckdb-extensions/v0.10.0/wasm_eh/excel.duckdb_extension.wasm
fts
(dryrun) upload: build/to_be_deployed/v0.10.0/wasm_eh/fts.duckdb_extension.wasm.brotli to s3://duckdb-extensions/v0.10.0/wasm_eh/fts.duckdb_extension.wasm
icu
(dryrun) upload: build/to_be_deployed/v0.10.0/wasm_eh/icu.duckdb_extension.wasm.brotli to s3://duckdb-extensions/v0.10.0/wasm_eh/icu.duckdb_extension.wasm
----

• invoke the "DuckDB-Wasm Extensions" workflow (via WebUI or gh cli) on the fork, passing as parameters {'duckdb_ref' : 'v0.10.0', 's3_release' : true} (run is currently in flight here: https://github.com/carlopi/duckdb/actions/runs/7913085453)
  This should (if AWS variable are properly inherited from the environment) upload the extensions, otherwise fall back to --dryrun. Please double check you have AWS keys enabled in your repository if you want to try this.

s3_release set to false is not uploading nor signing anything, so it can be safely invoked also also on the duckdb/duckdb repo as an additional test AFTER merging this into main (before that this workflow is present in a older version performing an outdated logic).

My idea is that this PR can be reviewed, eventually merged, and then when it lands on main the workflow can be invoked first passing {'duckdb_ref' : 'v0.10.0', 's3_release' : false} checking the resulting paths make sense / stuff has not exploded, and then invoking it properly passing {'duckdb_ref' : 'v0.10.0', 's3_release' : true}.

Artifacts build during the first step are available after completion in the Summary page: https://github.com/carlopi/duckdb/actions/runs/7912968453.

[carlopi]

Note that this CI job, invoked on request via workflow, is meant only to build the duckdb-wasm compatible extensions and store them on the official repository.

[carlopi]

I think this makes sense, tried various times on my CI while polishing this, seems to work as expected.

Upload / signature will be properly tested once extensions are up by the duckdb-wasm CI on the branch bumping to duckdb v0.10.0.

[carlopi]

Potentially an additional test, if we want to be extra sure, would be building duckdb-wasm extensions for a random commit (say commit the first landed PR after v0.10.0, that would be duckdb_ref = "8508978c55" + s3_release = true).

That should make that extensions ARE build, signed and deployed, but for an uninteresting commit hash (and we can then delete them from S3).

[samansmink]

Think this looks good, added 2 small comments

[carlopi]

Thanks @samansmink, comments have been addressed.