feat: Add optional FIPS support

[seanarnold]

Opt-in source build (TEMPORALIO_FIPS=1) that links rustls against aws-lc-rs in FIPS mode instead of ring. Default build is unchanged.

What was changed

• New fips Cargo feature on the native extension, driven by TEMPORALIO_FIPS=1 at build time. It builds rustls on top of aws-lc-rs in FIPS mode (for both the gRPC client and the OTLP metric exporter) instead of ring, which isn't FIPS-validated.
• Bumped the sdk-core submodule to the recent main commit that includes the OTLP TLS fix from Feature-select OTLP exporter TLS backend sdk-rust#1333 (without it, the OTLP exporter forces ring in and a ring-free build isn't possible).
• Default worker build id now uses SHA-256 instead of MD5.
• CI runs the FIPS build as an extra matrix leg on Linux and asserts the dependency tree is free of ring.
• README documents the opt-in build and its requirements.

Why?

Users in FIPS regulated environments currently have to patch the Gem's source to enable FIPS-compliant cryptography. This change pushes it upstream and provides a simple way to compile the gem in a FIPS compatible mode.

Checklist

1. Closes

2. How was this tested:

• Adds to the existing matrix so we can test fips mode on each
• We check for ring in the built dependency tree (when under fips mode) and fail the job if it's present.

3. Any docs updates needed?

• Updated README
• Some changes will be needed to https://docs.temporal.io/develop/ruby/

[seanarnold]

@Sushisource @chris-olszewski for your review. Thanks!