chore: add dependency-scan GitHub Actions workflow

[pkaeding]

Summary

Add dependency-scan GitHub Actions workflow to generate Software Bill of Materials (SBOM) for both Go and Node.js components in this mixed-language repository, addressing SEC-7263 security requirements.

Requirements

• I have added test coverage for new or changed functionality
• I have followed the repository's pull request submission guidelines
• I have validated my changes against all supported platform versions

Related issues

SEC-7263 - Add dependency scanning workflows to LaunchDarkly npm ecosystem repositories

Describe the solution you've provided

This PR adds a GitHub Actions workflow (.github/workflows/dependency-scan.yml) that:

• Generates separate SBOMs for Go and Node.js dependencies using parallel jobs
• Uses launchdarkly/gh-actions for SBOM generation and policy evaluation (appropriate for public repositories)
• Evaluates generated SBOMs against defined security policies with combined artifact collection (bom-* pattern)
• Triggers on pull requests and main branch pushes for comprehensive coverage

The workflow structure accommodates this repository's mixed-language nature with separate generate-go-sbom and generate-nodejs-sbom jobs that run in parallel, followed by a unified evaluate-policy job.

Critical items for review:

1. Verify mixed-language setup: Confirm this repository actually contains both Go and Node.js components that need separate SBOM generation
2. Check Node.js component location: If Node.js files are in a subdirectory (e.g., internal/dev_server/ui), the workflow may need a project-directory parameter
3. Validate action repository: Ensure launchdarkly/gh-actions is correct for this repository's visibility (vs launchdarkly/common-actions for private repos)
4. Monitor first workflow run: This is untested automation - watch for syntax errors, authentication issues, or artifact generation failures

Additional context

Link to Devin run: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b
Requested by: @pkaeding

This repository includes both Go (main application) and Node.js components. The workflow has been configured to generate SBOMs for both languages to provide comprehensive dependency visibility for security analysis.

---

Related Jira issue: SEC-7263: Investigate impact of compromised NPM packages: debug and chalk

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

🔍 SBOM Analysis Results

The dependency-scan workflow has completed successfully for this repository:

✅ SBOM Generation: Successfully generated Software Bill of Materials (SBOM) for all Node.js dependencies
✅ Policy Evaluation: All dependencies passed security policy evaluation with 0 violations detected

Summary

• Status: CLEAN - No license policy violations found
• Dependencies Analyzed: All npm/Node.js packages in this repository
• Security Findings: None - all dependencies comply with LaunchDarkly security policies

This repository's dependencies are compliant with current security policies and do not require any remediation actions.

---

This analysis was performed as part of SEC-7263 security initiative to implement dependency scanning across LaunchDarkly npm ecosystem repositories.