Add gha-shield - browser-based GitHub Actions workflow security scanner

[Fabridev444]

Adds gha-shield to the Static Analysis section.

What it is: a browser-only scanner that takes a GitHub Actions workflow YAML and returns 13 categorized security findings in under 5 seconds, no install or signup required.

The 13 rules: unpinned actions (no SHA), `pull_request_target` + PR-ref checkout, `${{ github.event.* }}` interpolated into `run:` shells, missing `permissions:` block, `continue-on-error` on auth/test steps, `secrets.*` in `if:` conditions, `curl | bash`, untrusted-host downloads without checksum, `schedule:` with broad token, `workflow_run` + untrusted checkout, hard-coded provider keys (sk-, ghp_, AKIA…) in `env:`, untrusted action receiving GITHUB_TOKEN, job without `timeout-minutes`.

Receipts:

• 45 unit tests pass (`node --test`)
• E2E scanned over `archestra-ai/archestra` (23 workflows → 15 findings) and `vercel/next.js` (37 workflows → 87 findings including 4 criticals in `release-next-rspack.yml`)
• Source: https://github.com/Fabridev444/gha-shield (MIT-pending, free forever)

Following the awesome-list format. Happy to adjust the description length or position if needed.