* Add Pipelock agent security scan to CI
Scans PR diffs for leaked secrets and agent security risks.
Zero config, runs on every PR to main.
* Retrigger CI (v1 action tag now available)
* Harden checkout: persist-credentials false
Pipelock only reads local git history for diff scanning,
no auth token needed in .git/config.
