ci: harden workflows for fork PRs and add workflow validation

[Slokh]

Summary

• unify changelog validation into a single fork-safe check job in .github/workflows/changelog.yml
• harden fork PR behavior in lint/test workflows by removing secret-dependent git auth rewrites from validation jobs
• make tempo-lints fork-safe by disabling PR comment posting in CI validation
• harden changelog-generate pull_request_target flow with same-repo gating, branch-ref validation, and safer push behavior
• pin and trust-gate pr-audit reusable workflow invocation on issue comments
• add workflow-validation CI workflow with actionlint and policy checks for workflow security/fork-safety invariants
• fix existing flaky test in spec_alignment by replacing fixed sleeps with observable readiness checks and safer channel setup

Why

PR #349 was failing required checks in fork context due to permission and auth assumptions in workflows (comment-write and tokenized git auth behavior). These changes make required checks deterministic and safe for both branch and fork PRs while tightening security posture.

Validation

• make check
• repeated flaky test validation: cargo test -p tempo-request --test session -- new_session_while_prior_stream_active_recovers_without_state_corruption

[github-actions]

⚠️ Changelog not found.

A changelog entry is required before merging.

Add changelog