ci(security): add public-repo PII gate caller

[LukasWodka]

Adds the per-repo caller for the org-wide public-repo PII gate (tracebloc/.github#60). Blocks PRs whose title/body/commits contain a denylisted customer name or secret. Inactive (warn-only) until the PII_DENYLIST org secret is set, so this won't block existing PRs on merge.

Part of the public-repo PII cleanup (customer names were found leaked in public PR bodies).

[LukasWodka]

👋 Heads-up — Code review queue is at 32 / 30

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• .github#57 — fix(fr-gate): pass items at or beyond the required stage · author: @aptracebloc · no reviewer assigned
• .github#60 — feat(security): public-repo PII gate (block customer names + secrets in PRs) · author: @LukasWodka · no reviewer assigned
• averaging-service#117 — refactor(averaging): per-framework weight-handling seam (WS-B B1) · author: @divyasinghds · no reviewer assigned
• averaging-service#118 — feat(averaging): trainable-only keyed-dict weight format (WS-C docs: surface standalone installer in README and INSTALL.md #104) · author: @divyasinghds · no reviewer assigned
• averaging-service#119 — fix(averaging): exact federated GaussianNB merge — usable + correct (WS-B B2, chore(auto-upgrade): run cronjob hourly at :23 #112) · author: @divyasinghds · no reviewer assigned
• backend#815 — chore(deps): bump cryptography from 47.0.0 to 48.0.1 · author: @dependabot · no reviewer assigned
• backend#825 — feat(#763): distribute authoritative feature_columns to edges (phase 1) · author: @aptracebloc · reviewer: @saadqbal
• backend#829 — feat(#817): failure surfaces a reason end-to-end + stuck-run reaper (WS6 I3/I4/I5/I8) · author: @saadqbal · no reviewer assigned
• cli#78 — fix(dataset rm): delete staging files from a uid-65532 pod, not jobs-manager (bug: dataset rm cannot delete staging files — ingestor (uid 65534) vs jobs-manager uid mismatch, no shared fsGroup #259) · author: @LukasWodka · no reviewer assigned
• cli#79 — chore(schema): re-sync vendored ingest.v1.json from data-ingestors master · author: @LukasWodka · no reviewer assigned

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)