[security]: remove hardcoded FOSSA token

[pschork]

Summary

• Replace the hardcoded FOSSA API token in the scan workflow with the FOSSA_API_KEY GitHub secret.
• Skip the FOSSA scan when the secret is unavailable, which avoids leaking tokens to public PR contexts while keeping CodeQL running.
• Add ignore rules for local secret artifacts such as .env, private key files, and build output.

Review & Testing Checklist for Human

• Confirm the exposed FOSSA token has been revoked and FOSSA_API_KEY has been set to the rotated value in repo/org secrets.
• Decide whether to rewrite exa-labs/flagger git history for the historical cosign/cosign.key blob referenced in SEC-37.
• Verify the scan workflow behaves as expected on main after the secret is configured.

Notes

The reported Cosign key file is not present at HEAD, but it is still present in historical commit 33528b073f69ee2132352954d252ee65d33ec4a3. This PR prevents future local secret artifacts from being committed, but history rewriting is a separate repo maintenance action.

CI note: scan-fossa, scan-codeql, and CodeQL passed. build and e2e failed before any job steps ran; GitHub reports empty runner metadata and no logs, so this appears to be a runner scheduling/configuration failure rather than this PR's diff.

Link to Devin session: https://app.devin.ai/sessions/29d8ffcc1c58449b846300a248a7d4e5
Requested by: @pschork

[linear]

SEC-37

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring