ci: add Semgrep SAST scanning on pull requests

[ulziibay-kernel]

Adds Semgrep static analysis on PRs to main via the reusable workflow in kernel/security-workflows. Includes .semgrepignore for generated code, test fixtures, and lock files.

Made with Cursor

---

Note

Low Risk
Low risk CI-only change that adds a new PR workflow; main risk is potential noisy findings or CI time/permissions issues.

Overview
Adds a new GitHub Actions workflow semgrep.yml to run Semgrep SAST on pull requests to main via the reusable kernel/security-workflows workflow, configured with the p/golang and p/trailofbits rulesets.

Introduces .semgrepignore to exclude common generated/dependency artifacts and test files (node_modules/, vendor/, dist/, *_test.go, go.sum) from scanning.

^{Reviewed by Cursor Bugbot for commit 2f53190. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: PR only modifies CI/security configuration files and does not change any kernel API endpoints or Temporal workflows.

To monitor this PR anyway, reply with @firetiger monitor this.

[Sayan-]

LGTM — standard Semgrep reusable workflow rollout. Go configs and .semgrepignore look correct.