fix(codepipeline): replace account root principal with pipeline role in trust policy for cross-account actions (under feature flag) (#34074)

### Issue # (if applicable)

[GHSA-5pq3-h73f-66hr](GHSA-5pq3-h73f-66hr)

### Reason for this change

See GHSA for details.

### Description of changes

Added new feature flag `@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope`

When the feature flag `@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope` is set to true:
- Scope down cross-account action role's trust policy to the pipeline role
- Set pipeline role's `roleName` to `PhysicalName.GENERATE_IF_NEEDED`

### Describe any new or updated permissions being added

Cross-account action role trust policy is scoped with condition key `ArnEquals` when feature flag is enabled:

```
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Condition": {
        "ArnEquals": {
         "aws:PrincipalArn": "<pipelineRoleARN>"
        }
       },
       "Effect": "Allow",
       "Principal": {
        "AWS": "arn:aws:iam::<pipelineStack.account>:root"
       }
      }
     ],
```


### Description of how you validated changes

Added integration tests for S3, StepFunction, and Cloudformation codepipeline actions and manually verified that the cross-account action was successfully completed (reading S3 bucket, invoking state machine, and deploying a cloudformation stack in the cross-account).

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: gracelu0