ci(deploy): post a legacy "CI" commit status after deploy

[Musiker15]

Summary

PR-management UIs that read the older Statuses API show every merge commit on main as stuck-on-pending. The Check Runs (Build & Deploy / CodeQL / Secret Scanning) are all green — but nothing posts a classic commit status, so:

gh api repos/MSK-Scripts/documentation/commits/main/status -q .state
# → "pending"

even though:

gh api repos/MSK-Scripts/documentation/commits/main/check-runs -q '.check_runs[] | "\(.conclusion)\t\(.name)"'
# → success    Build & Deploy
# → success    Analyze (javascript-typescript)
# → success    Scan for leaked secrets

Change

After the deploy step, post context: CI to the Statuses API with state derived from job.status. Runs with if: always() so a failed deploy also gets a status posted (red instead of leaving it stuck on pending forever).

Adds statuses: write to the workflow permissions (was contents: read only).

Why only this repo

Only the documentation repo is doing this — mskanban has the same combined-status pending but the UI in question only surfaces this for documentation PRs (see MSKanban PR #56 conversation). If we ever hit the same with mskanban, this is a copy-paste fix.

Test plan

• Workflow file is syntactically valid YAML
• After merge: the Deploy run posts a CI status; gh api repos/.../commits/main/status -q .state flips from pending to success
• PR-management UI shows green CI on this PR's merge commit

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/deploy.yml

Package	Version	License	Issue Type
actions/github-script	7.*.*	Null	Unknown License

Denied Licenses:

GPL-2.0, GPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/github-script	7.*.*	🟢 7.8	Details Check Score Reason Maintained 🟢 10 21 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches

Scanned Files

• .github/workflows/deploy.yml