ci: Simplify Psalm static analysis workflow, clarify push behavior, and cache Composer dependencies

[joshtrichards]

• Resolves: #

Summary

Improve the Psalm static analysis workflow by reducing duplication and making its behavior easier to understand.

Changes:

• clarify that the non-security Psalm jobs are pull-request-only, while keeping push runs for security analysis
• refactor the PR analysis jobs into a matrix job
• preserve the existing (recently added) changes gating and update the summary job accordingly
• add Composer cache reuse to reduce repeated dependency download time
• align PHP extension setup across the PR analysis variants

Notes:

• push behavior remains in the same workflow because of existing dependencies elsewhere (i.e. repo-level security config)
• the workflow path filters remain unchanged

TODO

• ...

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

AI (if applicable)

• The content of this PR was partly or fully generated using AI