fix(codepipeline): replace account root principal with current pipeline role in the trust policy under ff: @aws-cdk/pipelines:reduceStageRoleTrustScope (#33742)

### Issue # (if applicable)
aws-codepipeline creates roles with broad trust policies. 

Closes #33709 

### Reason for this change
Captured in Description of the issue.


### Description of changes
1. Introduced feature flag @aws-cdk/pipelines:reduceStageRoleTrustScope (default: true).
2. Under the feature flag when enabled, the root account principal will not be added to the trust policy of stage role. Instead the stage role can now be assumed by the current role created for the pipeline.


### Describe any new or updated permissions being added
Described above.



### Description of how you validated changes
integ test snapshots are being updated. 


### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: QuantumNeuralCoder

packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/appconfigconfigurationDefaultTestDeployAssert6752CD38.assets.json

@@ -746,7 +746,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip"
+     "S3Key": "e42a736be21cd3134b9bff4e71e3afa99a4cc900ae489e9a7f7025c8d258f9b8.zip"
     },
     "Description": "/opt/awscli/aws"
    }
@@ -1807,19 +1807,9 @@
        "Effect": "Allow",
        "Principal": {
         "AWS": {
-         "Fn::Join": [
-          "",
-          [
-           "arn:",
-           {
-            "Ref": "AWS::Partition"
-           },
-           ":iam::",
-           {
-            "Ref": "AWS::AccountId"
-           },
-           ":root"
-          ]
+         "Fn::GetAtt": [
+          "MyPipelineRoleC0D47CA4",
+          "Arn"
          ]
         }
        }
@@ -1934,19 +1924,9 @@
        "Effect": "Allow",
        "Principal": {
         "AWS": {
-         "Fn::Join": [
-          "",
-          [
-           "arn:",
-           {
-            "Ref": "AWS::Partition"
-           },
-           ":iam::",
-           {
-            "Ref": "AWS::AccountId"
-           },
-           ":root"
-          ]
+         "Fn::GetAtt": [
+          "MyPipelineRoleC0D47CA4",
+          "Arn"
          ]
         }
        }