Immutable write-once location in the builder

[xnox]

As part of #1737

It would be useful to have write-once locations for the builder. I.e. for melange to write dynamic files that are immutable by the guest. Sort of like the existing melange-cache; but not reusable across multiple builds.

See this comment #1737 (comment) of writing out individual package specific settings into the apko image used for building a given package.

Currently this is not possible. This is potentially a parallel feature request for apko paths key to support adding arbitrary text files.

[xnox]

so talking to @jonjohnsonjr about this, there is more to this than meets the eye:

• whilst file location of this file is not great, it doesn't matter as much because any other locations will not bring safety / security benefits either
• until we have root owned build image; and non-root (or different user) builder executor where this file is at, doesn't matter as at build time the builder process today can modify all files - inside and outside of their home directory
• doing a read-only bindmount could be better - but care would need to be taken to ensure all runners support that

Until all of the above is done, moving this file out of workspace is low priority; or is pointless as it doesn't achieve anything.