ci: auto-dismiss security alerts in samples/

[MichakrawSB]

Summary

• samples/ contains generated integration-test fixtures, not production code — security alerts from it are noise with no actionable fix
• Adds a daily scheduled workflow that auto-dismisses both Dependabot (tolerable_risk) and code scanning (used in tests) alerts whose path starts with samples/
• The workflow also runs on workflow_dispatch for on-demand clearing

What was already in place

• The CodeQL workflow already uses filter-sarif to exclude samples/** from CodeQL results ✅
• dependabot.yml has exclude-paths: samples/** — but this only prevents version-update PRs, not security alerts ❌

What this adds

.github/workflows/auto-dismiss-samples-alerts.yml — a cron job (daily 06:00 UTC) that:

1. Pages through all open Dependabot alerts, dismisses any with a manifest path under samples/
2. Pages through all open code scanning alerts, dismisses any with a location path under samples/

Notes

• The 6 open Dependabot alerts and 1 Wiz IaC alert that were in samples/ have already been dismissed manually ahead of this PR
• If GITHUB_TOKEN turns out to lack Dependabot write permissions in the org context, replace it with a repo-scoped PAT stored as a secret

Test plan

• Merge and verify the workflow runs successfully on the next scheduled trigger (or run manually via Actions → "Auto-dismiss security alerts in samples/" → Run workflow)
• Confirm the Security tab stays clean after the next Dependabot alert cycle

🤖 Generated with Claude Code