ci: add Semgrep SAST scanning on pull requests (#211)

Adds Semgrep static analysis on PRs to main via the reusable workflow in
kernel/security-workflows. Includes .semgrepignore for generated code,
test fixtures, and lock files.

Made with [Cursor](https://cursor.com)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk CI-only change that adds static analysis on PRs and ignores
generated/third-party files; main impact is potential new PR check
failures/noise.
> 
> **Overview**
> Adds a Semgrep SAST GitHub Actions workflow that runs on pull requests
to `main` via the reusable `kernel/security-workflows` workflow,
scanning with the `p/golang` and `p/javascript` rulesets.
> 
> Introduces a `.semgrepignore` to exclude dependencies, build
artifacts, lockfiles, tests, and specific generated/fixture paths from
scanning.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
42c18c8. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: ulziibay-kernel

.github/workflows/semgrep.yml

@@ -0,0 +1,17 @@
+name: Semgrep
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    uses: kernel/security-workflows/.github/workflows/semgrep.yml@main
+    with:
+      extra-configs: '--config p/golang --config p/javascript'
+      codebase-description: 'Base browser images with Go server and JS client'
+    secrets: inherit

.semgrepignore

@@ -0,0 +1,10 @@
+node_modules/
+vendor/
+dist/
+.next/
+*_test.go
+go.sum
+package-lock.json
+server/lib/oapi/oapi.go
+images/chromium-headful/client/
+shared/cdp-test/