[SEC-7263] Add dependency-scan GitHub Actions workflow

[pkaeding]

SEC-7263 Add dependency-scan GitHub Actions workflow

Summary

Adds a new GitHub Actions workflow to generate Software Bill of Materials (SBOM) for Node.js dependencies and evaluate them against LaunchDarkly's license policies. This workflow is part of security initiative SEC-7263 to implement dependency scanning across all LaunchDarkly npm ecosystem repositories.

The workflow includes two jobs:

• generate-nodejs-sbom: Creates SBOM using launchdarkly/gh-actions
• evaluate-policy: Evaluates generated SBOM against defined license policies

Review & Testing Checklist for Human

• Test workflow execution: Create a test PR to verify the workflow runs successfully without errors
• Verify SBOM generation: Confirm the workflow generates valid SBOM artifacts for this repository's minimal dependency set (@launchdarkly/node-server-sdk)
• Check policy evaluation: Ensure policy evaluation doesn't block legitimate dependencies or flag false positives
• Validate CI integration: Confirm the new workflow doesn't interfere with existing CI processes or cause build failures

Notes

• This workflow uses the public launchdarkly/gh-actions repo (appropriate for public repositories)
• Policy evaluation may detect legitimate license violations - this is expected behavior, not a bug
• Similar workflows have been implemented across ~16 other LaunchDarkly npm repositories as part of this initiative
• Requested by: @pkaeding
• Link to Devin session: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring