ci: add Semgrep SAST scanning on pull requests

Subscribes this repo to the shared Semgrep workflow in
kernel/security-workflows as part of expanding the elevated
vulnerability management scope to customer-facing SDKs
(KERNEL-1191, INC-51 follow-up).

Made-with: Cursor

Author: Sayan-

.github/workflows/semgrep.yml

@@ -0,0 +1,17 @@
+name: Semgrep
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    uses: kernel/security-workflows/.github/workflows/semgrep.yml@main
+    with:
+      extra-configs: '--config p/python --config p/trailofbits'
+      codebase-description: 'Stainless-generated Python SDK for the Kernel API (public PyPI package used by customers)'
+    secrets: inherit