fix: add Sentinel CI workflow for workflow security scanning

[jpr5]

Summary

• Adds .github/workflows/sentinel.yml — runs jpr5/sentinel on every PR and push to main
• Warn-only mode (fail-on-findings: false) so existing workflows are not blocked
• Part of org-wide Sentinel rollout (spec)

Details

Sentinel scans GitHub Actions workflows for security issues (credential exposure, unpinned actions, excessive permissions, etc.). This PR enables it in advisory mode — findings appear as annotations but do not fail the check.

Severity threshold: high (only high-severity findings are reported).

Test plan

• Verify Sentinel check appears on this PR
• Confirm check completes without blocking merge (fail-on-findings: false)
• Review any findings surfaced by Sentinel on existing workflows

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@copilotkit/aimock@236

commit: d846f9e

[jpr5]

Force-pushed with SHA-pinned actions to satisfy zizmor's unpinned-uses rule. Per the org-wide sentinel rollout, the floating-tag-for-easy-updates model is being replaced with SHA-pin + dependabot. Spec updated. Rest of the PR unchanged.

[jpr5]

Promoted to blocking mode — this repo had zero sentinel findings on the warn-only scan, so we're skipping the 7-day warn-only observation period. fail-on-findings is now true; future PRs that introduce critical/high findings will block merge.