fix(ci): fix build failures and add security audit workflow

- build-linux-stable: disable forklift GCS cache (RUSTC_WRAPPER="")
  that panics without GCP credentials on VPS runners
- prepare-bridges-zombienet-artifacts: fix bridges/testing path to
  pezbridges/testing (rebrand path was not updated in workflow)
- build-rustdoc: use CARGO_TARGET_DIR instead of ./target for doc
  output path (docs generated at /cache/target/doc, not ./target/doc)
- build-push-image-*: add workspace permission fix step before checkout
  to handle root-owned files left by Docker container jobs
- All build jobs: increase timeout from 120 to 180 minutes for VPS
- Add cargo-deny + cargo-audit security audit workflow (weekly + on PR)
- Add deny.toml with license, advisory, and source checks

.github/workflows/security-audit.yml

@@ -0,0 +1,71 @@
+name: Security Audit
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+  # Run weekly on Monday at 06:00 UTC
+  schedule:
+    - cron: "0 6 * * 1"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  isdraft:
+    # Skip draft PRs but always run on schedule/push
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Not a draft"
+
+  cargo-deny:
+    needs: isdraft
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - licenses
+          - sources
+    # Continue on advisory warnings so we see all results
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15
+        with:
+          command: check ${{ matrix.checks }}
+          arguments: --workspace
+
+  cargo-audit:
+    needs: isdraft
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+      - name: Run cargo audit
+        run: cargo audit --deny warnings 2>&1 || true
+      - name: Run cargo audit (deny vulnerabilities only)
+        run: cargo audit
+
+  confirm-security-audit-passed:
+    runs-on: ubuntu-latest
+    name: All security audits passed
+    needs: [cargo-deny, cargo-audit]
+    if: always() && !cancelled()
+    steps:
+      - run: |
+          tee resultfile <<< '${{ toJSON(needs) }}'
+          FAILURES=$(cat resultfile | grep '"result": "failure"' | wc -l)
+          if [ $FAILURES -gt 0 ]; then
+            echo "### At least one security audit failed" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo '### All security audits passed' >> $GITHUB_STEP_SUMMARY
+          fi