Clarify policy: usage of production tokens in GitHub Actions

[UlisesGascon]

In the past we didn't reach a clear/possitive consensus on the usage of production tokens (jenkins release, mailgun, etc...) on Github Actions due security concerns. Is this the current status?

Usage example: nodejs/email#222.