Normalize CI/CD workflows

[schmidtw]

Workflow Gaps

The following CI/CD workflows do not match the xmidt-org Ideal State.

Missing or misconfigured workflows

• ci.yml — file does not exist (currently using push.yml instead); must be named ci.yml, reference xmidt-org/shared-go/.github/workflows/ci.yml, have job name ci, set release-type: library, set yaml-lint-skip: false (or omit), and include top-level permissions: pull-requests: read, contents: write, packages: write
• auto-releaser.yml — file does not exist; must reference xmidt-org/shared-go/.github/workflows/auto-releaser.yml with top-level permissions contents: write
• approve-dependabot.yml — file does not exist (currently using dependabot-approver.yml instead); must be named approve-dependabot.yml and reference xmidt-org/shared-go/.github/workflows/approve-dependabot.yml
• dependabot-approver.yml — file should be renamed to approve-dependabot.yml and reference xmidt-org/shared-go/.github/workflows/approve-dependabot.yml instead of xmidt-org/.github/.github/workflows/dependabot-approver-template.yml@main
• proj-xmidt-team.yml — references wrong workflow; must reference xmidt-org/shared-go/.github/workflows/proj-xmidt-team.yml instead of xmidt-org/.github/.github/workflows/proj-template.yml@proj-v1
• proj-xmidt-team.yml — missing top-level permissions block; must include contents: read, issues: write, pull-requests: write

Unpinned actions

All `uses:` references must pin to full 40-character commit SHAs with version comments:

• `dependabot-approver.yml:12` — `uses: xmidt-org/.github/.github/workflows/dependabot-approver-template.yml@main` — must pin to full commit SHA with version comment
• `proj-xmidt-team.yml:14` — `uses: xmidt-org/.github/.github/workflows/proj-template.yml@proj-v1` — must pin to full commit SHA with version comment
• `push.yml:16` — `uses: actions/checkout@v2` — must pin to full commit SHA with version comment
• `push.yml:20` — `uses: actions/setup-go@v2` — must pin to full commit SHA with version comment
• `push.yml:42` — `uses: actions/upload-artifact@v2` — must pin to full commit SHA with version comment
• `push.yml:49` — `uses: actions/upload-artifact@v2` — must pin to full commit SHA with version comment
• `push.yml:62` — `uses: actions/checkout@v2` — must pin to full commit SHA with version comment
• `push.yml:64` — `uses: golangci/golangci-lint-action@v2` — must pin to full commit SHA with version comment
• `push.yml:82` — `uses: creekorful/goreportcard-action@v1.0` — must pin to full commit SHA with version comment
• `push.yml:88` — `uses: actions/checkout@v2` — must pin to full commit SHA with version comment
• `push.yml:93` — `uses: actions/download-artifact@v4.1.7` — must pin to full commit SHA with version comment
• `push.yml:97` — `uses: actions/download-artifact@v4.1.7` — must pin to full commit SHA with version comment
• `push.yml:101` — `uses: sonarsource/sonarcloud-github-action@master` — must pin to full commit SHA with version comment

Reference

• Reference repos: xmidt-org/wrpssp, xmidt-org/wrp-go