feat(ci): add sfw-enterprise support and publish-without-sfw escape hatch (#1181)

* feat(ci): add sfw-enterprise support and publish-without-sfw escape hatch

When SOCKET_API_KEY is set, downloads sfw-enterprise from
SocketDev/firewall-release instead of sfw-free. Enterprise shims
include additional ecosystems (gem, bundler, nuget, go on Linux).
SSL workaround only applies to sfw-free.

Adds publish-without-sfw input to provenance workflow to bypass
firewall shims during publishing.

* fix(ci): suppress pre-existing zizmor secrets-outside-env warnings

* fix(ci): add job names, restrict workflow permissions, document id-token

* fix(ci): use file rename instead of PATH override to strip sfw shims

Writing PATH to GITHUB_ENV doesn't work because GITHUB_PATH entries
are always prepended by the runner after GITHUB_ENV is applied
(actions/toolkit#655). Rename shim files to .disabled instead so
real binaries resolve from PATH naturally.

Author: jdalton