Normalize CI/CD workflows

[schmidtw]

Workflow Gaps

The following CI/CD workflows do not match the xmidt-org Ideal State.

Missing or misconfigured workflows

• ci.yml — missing top-level permissions: block (should have pull-requests: read, contents: write, packages: write)
• auto-releaser.yml — file does not exist (required)
• approve-dependabot.yml — file does not exist (found dependabot-approver.yml instead, which references wrong workflow)
• dependabot-approver.yml — references xmidt-org/.github/.github/workflows/dependabot-approver-template.yml instead of xmidt-org/shared-go/.github/workflows/approve-dependabot.yml
• proj-xmidt-team.yml — references xmidt-org/.github/.github/workflows/proj-template.yml instead of xmidt-org/shared-go/.github/workflows/proj-xmidt-team.yml
• proj-xmidt-team.yml — missing top-level permissions: block (should have contents: read, issues: write, pull-requests: write)

Unpinned actions

• dependabot-approver.yml:15 — uses: xmidt-org/.github/.github/workflows/dependabot-approver-template.yml@main — must pin to full commit SHA with version comment
• proj-xmidt-team.yml:17 — uses: xmidt-org/.github/.github/workflows/proj-template.yml@proj-v1 — must pin to full commit SHA with version comment

Missing or incorrect permissions blocks

• ci.yml — missing top-level permissions: (needs pull-requests: read, contents: write, packages: write)
• proj-xmidt-team.yml — missing top-level permissions: (needs contents: read, issues: write, pull-requests: write)

Reference

• Reference repos: xmidt-org/wrpssp, xmidt-org/wrp-go