feat(ci): Add Fortress Code Reviewer security scan workflow (#5639)

Add GitHub Actions workflow to run Fortress Code Reviewer security scan
on every PR against the master branch. The workflow:

- Triggers on pull_request_target against master
- Performs collaborator check (auto-approve for collaborators, manual
  approval for external contributors)
- Configures AWS credentials via OIDC
- Triggers the sagemaker-python-sdk-ci-fortress-scan CodeBuild project

The CodeBuild project installs Fortress at runtime from S3-hosted wheels
and uses Bedrock (Claude) to analyze code for security vulnerabilities.

---
X-AI-Prompt: Add Fortress security scan GitHub workflow for PR scanning
X-AI-Tool: Kiro

Author: jam-jee

.github/workflows/fortress-scan.yml

@@ -0,0 +1,62 @@
+name: Fortress Security Scan
+on:
+  pull_request_target:
+    branches:
+      - "master"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+
+jobs:
+  collab-check:
+    runs-on: ubuntu-latest
+    outputs:
+      approval-env: ${{ steps.collab-check.outputs.result }}
+    steps:
+      - name: Collaborator Check
+        uses: actions/github-script@v7
+        id: collab-check
+        with:
+          github-token: ${{ secrets.COLLAB_CHECK_TOKEN }}
+          result-encoding: string
+          script: |
+            try {
+              const res = await github.rest.repos.checkCollaborator({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: "${{ github.event.pull_request.user.login }}",
+              });
+              console.log("Verified ${{ github.event.pull_request.user.login }} is a repo collaborator. Auto Approving.")
+              return res.status == "204" ? "auto-approve" : "manual-approval"
+            } catch (error) {
+              console.log("${{ github.event.pull_request.user.login }} is not a collaborator. Requiring Manual Approval.")
+              return "manual-approval"
+            }
+
+  wait-for-approval:
+    runs-on: ubuntu-latest
+    needs: [collab-check]
+    environment: ${{ needs.collab-check.outputs.approval-env }}
+    steps:
+      - run: echo "Workflow Approved! Starting Fortress Security Scan."
+
+  fortress-scan:
+    runs-on: ubuntu-latest
+    needs: [wait-for-approval]
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 10800
+
+      - name: Run Fortress Security Scan
+        uses: aws-actions/aws-codebuild-run-build@v1
+        with:
+          project-name: ${{ github.event.repository.name }}-ci-fortress-scan
+          source-version-override: 'refs/pull/${{ github.event.pull_request.number }}/head^{${{ github.event.pull_request.head.sha }}}'