Add ac claim for old docker/build-push-actions@v3

Also resolves a warning for current releases

```
| ##[group]GitHub Actions runtime token ACs
| ##[warning]Cannot parse GitHub Actions Runtime Token ACs: "undefined" is not valid JSON
| ##[endgroup]
====>
| ##[group]GitHub Actions runtime token ACs
| ##[endgroup]
```

Author: ChristopherHX

services/actions/auth.go

@@ -21,6 +21,7 @@ type actionsClaims struct {
 	TaskID int64
 	RunID  int64
 	JobID  int64
+	Ac     string `json:"ac"`
 }
 
 func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) {
@@ -32,6 +33,7 @@ func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) {
 			NotBefore: jwt.NewNumericDate(now),
 		},
 		Scp:    fmt.Sprintf("Actions.Results:%d:%d", runID, jobID),
+		Ac:     "[]",
 		TaskID: taskID,
 		RunID:  runID,
 		JobID:  jobID,

services/actions/auth_test.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"testing"
 
+	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/setting"
 
 	"github.com/golang-jwt/jwt/v5"
@@ -29,6 +30,12 @@ func TestCreateAuthorizationToken(t *testing.T) {
 	taskIDClaim, ok := claims["TaskID"]
 	assert.True(t, ok, "Has TaskID claim in jwt token")
 	assert.Equal(t, float64(taskID), taskIDClaim, "Supplied taskid must match stored one")
+	acClaim, ok := claims["ac"]
+	assert.True(t, ok, "Has ac claim in jwt token")
+	ac, ok := acClaim.(string)
+	assert.True(t, ok, "ac claim is a string")
+	err = json.Unmarshal([]byte(ac), &[]struct{}{})
+	assert.NoError(t, err, "ac claim is a json list")
 }
 
 func TestParseAuthorizationToken(t *testing.T) {