feat: add reusable vendored-file sync workflow that opens PRs instead of hard-failing lint

[DevSecNinja]

Problem

Repos that vendor shared files, such as scripts/lib/log.sh, currently detect drift during lint and fail hard. Example from DevSecNinja/truenas-apps PR #372: the vendored libs in sync job failed at sha256sum -c log.sh.sha256 because scripts/lib/log.sh had been locally modified without the matching upstream vendored artifact/checksum.

This is useful as validation, but it is not a good maintenance workflow: drift requires a human to notice the failed lint job and manually run the repo-specific refresher script.

Proposal

Add a reusable workflow or composite action in DevSecNinja/.github for vendored-file sync checks that can:

1. Run the repo-provided refresher command, for example bash scripts/update-log-sh.sh.
2. Detect resulting diffs in configured paths, for example scripts/lib/.
3. Use the existing DevSecNinja/.github/actions/open-pr action to open or update a maintenance PR with the refreshed vendored files.
4. Keep PR lint as validation-only, but move scheduled/manual maintenance to the auto-PR workflow.

Acceptance criteria

• Callers can configure the refresher command, watched paths, branch name, PR title/body, and labels.
• Scheduled/manual runs open or update a PR when vendored files drift.
• Pull-request lint can still fail when a PR directly introduces vendored drift.
• Documentation explains the split between validation and auto-remediation.