Allow seasonal-flu/deploy-private-nextflu to assume GitHubActionsRole…

…NextstrainBatchJobs

We cannot use the usual `pathogen-repo-build` workflow for the
seasonal flu deploy-private-nextflu workflow because these are private
builds that should not be surfaced through public GH Action artifacts.¹

¹ <nextstrain/private#110 (comment)>

env/production/aws-iam-role-GitHubActionsRoleNextstrainBatchJobs.tf

@@ -23,6 +23,11 @@ resource "aws_iam_role" "GitHubActionsRoleNextstrainBatchJobs" {
           "StringLike": {
             "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
             "token.actions.githubusercontent.com:sub": [
+              # Special case for seasonal flu's deploy-private-nextflu workflow which needs to download the private builds
+              # from AWS Batch before bundling/deploying them through Netlify.
+              # This special case can be removed when we finally sunset the private site.
+              #   -Jover, 07 June 2024
+              "repo:nextstrain/seasonal-flu:*:job_workflow_ref:nextstrain/seasonal-flu/.github/workflows/deploy-private-nextflu.yaml@*",
               for repo in keys(local.repo_pathogens):
                 "repo:nextstrain/${repo}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*"
             ]