Add cargo-vet and cargo-deny supply-chain security

[jerrysxie]

This PR adds supply-chain security tooling based on the
embedded-rust-template:

• cargo-vet (supply-chain/) – dependency audit tracking with imports
  from ODP shared audits, Google, and Mozilla.
• cargo-deny (deny.toml) – license, advisory, ban, and source checks.
• CI workflows – cargo-vet.yml + PR comment workflow, and the
  deny job in check.yml.

After merging, run cargo vet locally to populate exemptions for any
existing unaudited dependencies:

cargo vet regenerate exemptions
cargo vet

[Copilot]

Pull request overview

This PR introduces supply-chain security tooling centered around cargo-vet, including the initial supply-chain/ configuration and a pair of GitHub Actions workflows to run cargo vet on PRs and post/update a PR comment with the result.

Changes:

• Add initial cargo-vet configuration under supply-chain/ (audits file + imports config + imports lock).
• Add a cargo-vet PR workflow that runs cargo vet --locked and uploads the PR number as an artifact.
• Add a workflow_run-triggered workflow that comments on the PR and labels it when vetting fails.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
supply-chain/imports.lock	Adds initial imports lock structure for external audit imports.
supply-chain/config.toml	Configures cargo-vet and remote audit import sources.
supply-chain/audits.toml	Adds initial audits file scaffold.
.github/workflows/cargo-vet.yml	Runs cargo-vet on PRs and uploads PR number artifact for follow-up workflow.
.github/workflows/cargo-vet-pr-comment.yml	Posts/updates PR comments based on cargo-vet results and applies a label on failure.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.