feat(ci): add nightly MSDO toolchain breach monitor

[DimaBir]

Summary

• Adds a nightly GitHub Agentic Workflow that monitors for supply chain breaches affecting MSDO toolchain (Trivy, Checkov, Bandit, ESLint, BinSkim, Template Analyzer, Terrascan, AntiMalware, Container Mapping)
• Creates a labeled GitHub issue ONLY when an incident is found — stays silent when everything is clean
• Adds .github/toolchain-inventory.yml as source of truth for monitored tools (derived from src/msdo-helpers.ts Tools enum)

Key design decisions

• on.roles: [write] — only write-access users can manually trigger
• engine: id: copilot — uses org-level Copilot (not personal subscription)
• lockdown: false — matches CI Doctor pattern
• permissions: contents: read, issues: read — minimal; all writes via safe-outputs only
• safe-outputs: create-issue max: 1 — capped issue creation with explicit label allowlist
• cron: daily (fuzzy schedule) — avoids load spikes
• Network allowlist — scoped to GitHub + NVD/CVE/OSV security databases
• Tool versions noted as "latest (runtime-resolved)" since MSDO CLI resolves all tool versions dynamically via NuGet at runtime
• Compiled with gh-aw v0.61.0, all actions SHA-pinned

Files

File	Purpose
.github/toolchain-inventory.yml	What tools we use (source of truth)
.github/workflows/msdo-breach-monitor.md	Agentic workflow definition
.github/workflows/msdo-breach-monitor.lock.yml	Compiled Actions workflow (auto-generated)
.github/aw/actions-lock.json	Added v0.61.0 SHA entry

Test plan

• Trigger manually: gh workflow run msdo-breach-monitor
• Verify workflow runs with org Copilot (not personal)
• Verify labels are created on first incident detection
• Verify no issue is created when no incidents are found
• Verify role gate: non-write users cannot manually trigger