Switch e2e CI jobs to workload identity federation

[ashwin-ant]

What

• The test-e2e, test-e2e-docker, and test-examples jobs in test.yml still authenticated with the ANTHROPIC_API_KEY secret, which is no longer valid — every push to main has failed since May 23 (e.g. this run), which blocks the auto-release workflow and has kept the published SDK pinned to bundled CLI 2.1.150. Fixes CI failing, no new package updates, bundled cli stuck to 2.1.150, so no Opus 4.8 #1003.
• Authenticate via workload identity federation instead, like the claude.yml / claude-code-review.yml / claude-issue-triage.yml workflows already do. The SDK inherits the federation env vars (ANTHROPIC_FEDERATION_RULE_ID, ANTHROPIC_ORGANIZATION_ID, ANTHROPIC_SERVICE_ACCOUNT_ID, ANTHROPIC_IDENTITY_TOKEN_FILE) into the CLI subprocess, and the CLI exchanges the OIDC token for a short-lived access token.
• Since these jobs invoke the CLI directly rather than through claude-code-action, a new local composite action (.github/actions/setup-claude-auth) mints the workflow's GitHub OIDC token, writes it to a file, and exports ANTHROPIC_IDENTITY_TOKEN_FILE. The e2e jobs run 7–10 minutes — longer than a GitHub OIDC token stays valid — so the action also leaves behind a detached refresher process that rewrites the file every 4 minutes (the same refresh approach claude-code-action uses internally).
• The Docker job bind-mounts the token file into the container; the file is rewritten in place so the mounted copy stays fresh.
• Each affected job gains id-token: write. The existing fork-PR skip conditions are unchanged in effect: fork PRs couldn't read the secret before and can't mint OIDC tokens now.

Testing

• YAML and JS validated locally; this PR's own CI exercises all three migrated jobs end-to-end (the e2e jobs run on same-repo PRs).