ci: add ActionScope GitHub Actions security exposure scan

[r12habh]

What

Adds a lightweight ActionScope workflow to scan GitHub Actions, Terraform, and IAM/policy JSON changes for CI/CD security exposure.

The workflow is intentionally conservative:

• runs only when workflow/action/IaC/policy files change, plus manual dispatch
• uses only contents: read
• does not call AWS APIs or require cloud credentials
• pins actions/checkout to a full commit SHA
• installs actionscope>=0.3.5,<1.0 from PyPI
• fails only on critical findings, so the current non-critical findings do not block CI

Why

I ran ActionScope locally against this repository and it found enough workflow-level signal to make a recurring check useful.

Workflows scanned: 10
AWS credential sources: 0
Overall risk: HIGH
Critical: 0 | High: 14 | Medium: 2 | Low: 18

Notable current signal:

• Several workflows grant id-token: write or write-capable GITHUB_TOKEN scopes.
• No critical findings were detected with the current scanner.

Because this uses --fail-on critical, this PR should add visibility without changing the current pass/fail posture.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 4f391f6. Configure here.}

[cursor]

Missing Python setup breaks pip

High Severity

The job runs on ubuntu-24.04 and installs actionscope with system python3 -m pip install, but there is no actions/setup-python step or virtualenv. On that image, PEP 668 blocks installs into the default interpreter, so the install step fails and the scan never runs.

 

^{Reviewed by Cursor Bugbot for commit 4f391f6. Configure here.}