fix(ci): gate canonical-only jobs for security fork support

Michael Angelo Riverarequested to merge
michaelangeloio/security-ci-gating into main

Summary

  • Adds CANONICAL_PROJECT_ID variable and rule templates so the security mirror (gitlab-org/security/orbit/knowledge-graph, ID 80999258) can run CI pipelines without triggering jobs that belong on canonical only.
  • Gates semantic-release, proto gem publish, docs review, AI review, and SBOM generation to canonical.
  • Forces sccache to READ_ONLY on non-canonical projects to prevent cache writes from the security fork.

Jobs that still run on the security fork: lint, test, security scans, docker builds, release builds. Everything needed to build and push a security fix image.

Relates to #386

Merge request reports