feat: support scan-and-fix mode and diff-aware scanning

[antonychiu2]

Summary

• Make report-file optional. Omitting it enables Mobb's scan-and-fix mode: the Mobb CLI runs its own SAST scan (internal opengrep) instead of consuming an external SARIF/JSON report.
• Add a new optional diff-aware input (default false). When set to true and the workflow is triggered by a pull_request event, the action passes --baseline-commit <pr.base.sha> to mobbdev analyze, enabling diff-aware scanning. Outside of PR context the flag is silently ignored.
• README updated with a scan-and-fix example workflow and a description of the two modes.

No changes to the existing fix-only flow — workflows that already pass report-file keep working unchanged.

Test plan

• Run a workflow with report-file set (existing fix-only path) and confirm -f <path> still appears in the logged Mobb command.
• Run a workflow without report-file and confirm the log says "Running in scan-and-fix mode" and no -f is appended.
• Run a pull_request workflow with diff-aware: true and confirm --baseline-commit <sha> is appended using github.event.pull_request.base.sha.
• Run a push (non-PR) workflow with diff-aware: true and confirm the action logs the skip message and does not append --baseline-commit.

[ghost]

No security issues were found ✅

Awesome! No vulnerabilities were found by CodeQL in the changes made as part of this PR.
Please notice there are issues in this repo that are unrelated to this PR.