ci: add Semgrep SAST scanning on pull requests (#149)

Adds Semgrep static analysis on PRs to main via the reusable workflow in
kernel/security-workflows. Includes .semgrepignore for generated code,
test fixtures, and lock files.

Made with [Cursor](https://cursor.com)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk CI-only change that adds a new PR workflow; main risk is
potential noisy findings or CI time/permissions issues.
> 
> **Overview**
> Adds a new GitHub Actions workflow `semgrep.yml` to run Semgrep SAST
on pull requests to `main` via the reusable `kernel/security-workflows`
workflow, configured with the `p/golang` and `p/trailofbits` rulesets.
> 
> Introduces `.semgrepignore` to exclude common generated/dependency
artifacts and test files (`node_modules/`, `vendor/`, `dist/`,
`*_test.go`, `go.sum`) from scanning.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
2f53190. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: ulziibay-kernel

.github/workflows/semgrep.yml

@@ -0,0 +1,17 @@
+name: Semgrep
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    uses: kernel/security-workflows/.github/workflows/semgrep.yml@main
+    with:
+      extra-configs: '--config p/golang --config p/trailofbits'
+      codebase-description: 'Kernel CLI tool authenticating with customer API keys'
+    secrets: inherit

.semgrepignore

@@ -0,0 +1,5 @@
+node_modules/
+vendor/
+dist/
+*_test.go
+go.sum