ci: Add dependency-scan GitHub Actions workflow (#54)

## Summary

Adds dependency-scan GitHub Actions workflow to generate Software Bill
of Materials (SBOM) and evaluate license policies for Node.js
dependencies as part of security initiative SEC-7263.

## Changes

- **New workflow file**: `.github/workflows/dependency-scan.yml`
- **Two jobs**: 
  1. `generate-nodejs-sbom` - Generates SBOM for Node.js dependencies
2. `evaluate-policy` - Evaluates SBOM against LaunchDarkly license
policies
- **Triggers**: Pull requests and pushes to main branch
- **Uses pinned SHA** for `actions/checkout@v4` following security best
practices

## Requirements

- [ ] I have added test coverage for new or changed functionality *(N/A
- workflow file)*
- [ ] I have followed the repository's [pull request submission
guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests)
- [ ] I have validated my changes against all supported platform
versions *(Will be validated by CI)*

## Related issues

Part of security initiative SEC-7263 for adding dependency scanning
across LaunchDarkly npm ecosystem repositories.

## Human Review Checklist

**Critical items to verify:**
- [ ] Workflow syntax is correct and jobs have proper dependencies
- [ ] Artifact pattern `bom-*` in `evaluate-policy` job matches what
`generate-sbom` produces
- [ ] Uses correct `launchdarkly/gh-actions` repository (public actions
for public repo)
- [ ] Pinned SHA `08eba0b27e820071cde6df949e0beb9ba4906955` is correct
for `actions/checkout@v4`
- [ ] Workflow follows LaunchDarkly security standards

**Expected behavior:**
- Workflow should run on PRs and main branch pushes
- First job generates SBOM file for Node.js dependencies  
- Second job evaluates SBOM against license policies
- May detect legitimate license policy violations (expected behavior)

## Additional context

- This is part of systematic rollout across LaunchDarkly npm ecosystem
repositories
- Similar workflows already successfully deployed to other repositories
in the organization
- The workflow may detect license policy violations - this is expected
behavior, not a failure

---
Link to Devin run:
https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b
Requested by: @pkaeding

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: pkaeding

.github/workflows/dependency-scan.yml

@@ -0,0 +1,30 @@
+name: Dependency Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  generate-nodejs-sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+
+      - name: Generate SBOM
+        uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
+        with:
+          types: 'nodejs'
+
+  evaluate-policy:
+    runs-on: ubuntu-latest
+    needs:
+      - generate-nodejs-sbom
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+
+      - name: Evaluate SBOM Policy
+        uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main
+        with:
+          artifacts-pattern: bom-*