fix(ci): repin trufflehog to v3.95.6 (unblock security job)

[Coding-Dev-Tools]

What

The security CI job has been failing on master:

Unable to resolve action `trufflesecurity/trufflehog@34ed34b8e678b826e3e4a3d28426ac8bdfc4e1f2`,
unable to find version `34ed34b8e678b826e3e4a3d28426ac8bdfc4e1f2`

The pinned commit SHA no longer exists in trufflesecurity/trufflehog, so the
"Check for secrets" step can't start and the whole security job (a required
dependency of build) fails.

Fix

Repin to the current release v3.95.6, commit 30d5bb91af1a771378349dbbb0c82129392acf70,
keeping the SHA pin (supply-chain best practice) with a human-readable version comment.

- uses: trufflesecurity/trufflehog@34ed34b8e678b826e3e4a3d28426ac8bdfc4e1f2
+ uses: trufflesecurity/trufflehog@30d5bb91af1a771378349dbbb0c82129392acf70 # v3.95.6

Single-line change to .github/workflows/ci.yml. Once green, this unblocks the security and build jobs.

[github-actions]

🤖 Automated Code Review

✅ Ruff Lint — No issues

⚠️ Ruff Format — Formatting needed

Would reformat: src/apiauth/cli.py
Would reformat: src/apiauth/keygen.py
Would reformat: tests/conftest.py
Would reformat: tests/test_cli.py
4 files would be reformatted, 4 files already formatted

✅ Secret Detection — Clean

✅ Large Files — Within limits

📊 Diff Stats — 1 file(s) changed

 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

---

Verdict: ⚠️ Warnings — Lint/format issues found. Recommend fixing before merge.

Automated by Coding-Dev-Tools/.github reusable workflow.