Improve pipeline platform protection gates

[shensz2017]

Summary

Closes #2105.

Adds platform-setting evidence gates to pipeline-security so reviewers can separate workflow-YAML evidence from GitHub repository, organization, enterprise, and settings evidence before finalizing CICD-SEC and SLSA conclusions.

What changed

• Bumped pipeline-security to 1.0.1.
• Added Step 4: Platform Protection Evidence Review before report compilation.
• Added decision states for platform-dependent controls: Pass, Fail, Partial, Not Evaluable from Workflow YAML Alone, and Not Applicable.
• Added a platform protection evidence matrix to the report template.
• Added evidence guidance for:
  • GitHub Environment protection
  • rulesets and branch protection
  • required workflows and required checks
  • default GITHUB_TOKEN permissions
  • allowed-actions policy
  • fork workflow approval settings
  • artifact/log retention
  • bypass and admin exceptions
• Added benign and vulnerable fixtures under skills/devsecops/pipeline-security/tests/.

Validation

• git diff --cached --check
• Frontmatter required-field check matching .github/workflows/lint-skills.yml
• index.yaml file-existence check matching .github/workflows/validate-index.yml
• Markdown code fence balance check for changed Markdown files
• ASCII-only check for changed files
• Prompt-injection scan matching .github/workflows/injection-scan.yml
• Platform protection marker check for Platform Protection Evidence Review, Platform Protection Evidence Matrix, environment protection, rulesets/branch protection, default GITHUB_TOKEN permissions, allowed-actions policy, fork approvals, artifact/log retention, bypass exceptions, and fixture evidence

Note: YAML parser validation was attempted, but a local YAML parser was not available (yaml Node module unavailable; Ruby/PyYAML also unavailable in this environment).

Bounty

Requesting Improver - Moderate ($100). Preferred payment method: GitHub Sponsors if accepted, otherwise private payment details can be provided after acceptance.