Add cargo-vet supply-chain security

[jerrysxie]

This PR adds supply-chain security tooling based on the
embedded-rust-template:

• cargo-vet (supply-chain/) – dependency audit tracking with imports
  from ODP shared audits, Google, and Mozilla.
• CI workflows – cargo-vet.yml + PR comment workflow

[Copilot]

Pull request overview

Adds supply-chain security tooling by introducing a cargo-vet configuration/audit scaffold plus CI workflows to run cargo vet on PRs and post a PR comment on failures/success-after-failure.

Changes:

• Add cargo-vet configuration plus empty local audit/import lock scaffolding under supply-chain/.
• Add a cargo-vet PR workflow that runs cargo vet --locked and uploads the PR number as an artifact.
• Add a workflow_run workflow that posts/updates a PR comment based on the cargo-vet workflow result.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
supply-chain/imports.lock	Initializes cargo-vet imports lock sections for upstream audit sources.
supply-chain/config.toml	Configures cargo-vet and upstream audit import URLs.
supply-chain/audits.toml	Adds an (empty) local audits file stub for cargo-vet.
.github/workflows/cargo-vet.yml	Runs cargo-vet in CI and uploads PR metadata for follow-on workflows.
.github/workflows/cargo-vet-pr-comment.yml	Posts/updates a PR comment based on the cargo-vet workflow outcome.

Comments suppressed due to low confidence (2)

.github/workflows/cargo-vet.yml:44

• The if: condition is written as two separate expression blocks (${{ failure() }} || ${{ success() }}), which GitHub Actions does not evaluate as a single expression and can cause the step to be skipped or the workflow to error. Use a single expression (e.g., if: always() or if: success() || failure()) so the PR number is reliably saved.

    - name: Save PR number
    # PR number is saved as an artifact so it can be used to determine the PR to comment on by the vet-pr-comment workflow
    # vet-pr-comment workflow is triggered by the workflow_run event so it runs in the context of the base branch and not the PR branch
      if: ${{ failure() }} || ${{ success() }}
      run: |

.github/workflows/cargo-vet.yml:50

• Same issue as above: if: ${{ failure() }} || ${{ success() }} is not a single valid expression. Switch to if: always() (or if: success() || failure()) to ensure the artifact is uploaded on both success and failure, otherwise the downstream workflow_run job may not find the pr artifact.

    - uses: actions/upload-artifact@v4
    # Need to upload the artifact in both success and failure cases so comment can be updated in either case
      if: ${{ failure() }} || ${{ success() }}
      with: