ci: add ActionScope GitHub Actions security exposure scan

[r12habh]

What

Adds a lightweight ActionScope workflow to scan GitHub Actions, Terraform, and IAM/policy JSON changes for CI/CD security exposure.

The workflow is intentionally conservative:

• runs only when workflow/action/IaC/policy files change, plus manual dispatch
• uses only contents: read
• does not call AWS APIs or require cloud credentials
• pins actions/checkout to a full commit SHA
• installs actionscope>=0.3.5,<1.0 from PyPI
• fails only on critical findings, so the current non-critical findings do not block CI

Why

I ran ActionScope locally against this repository and it found workflow-level CI/CD security signal around AWS credentials, token permissions, environments, or action supply-chain posture.

Overall Risk: 🟠 HIGH
Workflows scanned: 22
AWS credential sources: 16
Critical: 0 | High: 24 | Medium: 17 | Low: 25 | Info: 1

Because this uses --fail-on critical, this PR should add visibility without changing the current pass/fail posture.

[cla-checker-service]

❌ Author of the following commits did not sign a Contributor Agreement:
077caf9

Please, read and sign the above mentioned agreement if you want to contribute to this project

[mergify]

This pull request does not have a backport label. Could you fix it @r12habh? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.