Add Sentinel CI workflow for workflow security scanning

[jpr5]

Summary

• Adds .github/workflows/sentinel.yml for automated workflow security scanning via Sentinel
• Runs on all pull requests and pushes to main
• Configured in warn-only mode (fail-on-findings: false) — surfaces findings without blocking merges
• Part of the org-wide Sentinel rollout (spec)

Details

Sentinel scans GitHub Actions workflows for security issues (credential exposure, injection risks, overly broad permissions, unpinned actions, etc.). This initial rollout uses severity: high to focus on the most impactful findings.

Test plan

• CI runs the new Sentinel workflow on this PR
• Workflow completes without blocking the PR (warn-only mode)
• Review any findings surfaced in the Actions tab

[jpr5]

Force-pushed with SHA-pinned actions to satisfy zizmor's unpinned-uses rule. Per the org-wide sentinel rollout, the floating-tag-for-easy-updates model is being replaced with SHA-pin + dependabot. Spec updated. Rest of the PR unchanged.

[jpr5]

Promoted to blocking mode — this repo had zero sentinel findings on the warn-only scan, so we're skipping the 7-day warn-only observation period. fail-on-findings is now true; future PRs that introduce critical/high findings will block merge.

[jpr5]

Promoted to blocking mode — this repo had zero sentinel findings on the warn-only scan, so we're skipping the 7-day warn-only observation period. fail-on-findings is now true; future PRs that introduce critical/high findings will block merge.

[jpr5]

Promoted to blocking mode — this repo had zero sentinel findings on the warn-only scan, so we're skipping the 7-day warn-only observation period. fail-on-findings is now true; future PRs that introduce critical/high findings will block merge.