fix(workflows): default all reusable runners to ubuntu-latest for public consumers

[BryanFRD]

Summary

PR #44 added runner: ubuntu-latest defaults for the main job in each reusable workflow but left auxiliary jobs hardcoded to ferrlabs-k8s. Public-repo consumers (FerrFlow, FerrGames-Cloud, etc.) hit those auxiliary jobs and they queue indefinitely waiting for a self-hosted runner that doesn't exist.

Symptom from FerrFlow's Secrets + CVE / gitleaks (secrets) check:

Requested labels: ferrlabs-k8s
Waiting for a runner to pick up this job...

Fix

All runs-on: ferrlabs-k8s swapped to runs-on: ${{ inputs.runner }} across:

• reusable-security-scan.yml — added runner input (was missing entirely), all 3 jobs (gitleaks, osv-scanner, trufflehog)
• reusable-ci-astro.yml — i18n + lighthouse jobs
• reusable-ci-node.yml — quality job
• reusable-docker-build.yml — hadolint, trivy, cosign, sbom jobs
• reusable-release-rust.yml — added runner input (was missing), upload + publish-crate + publish-docker jobs

Default in every case: 'ubuntu-latest'. Private consumers can still pass runner: 'ferrlabs-k8s' to opt back into the self-hosted pool.

renovate.yml keeps ferrlabs-k8s because it's the org's own internal workflow, not a reusable consumed by public repos.

Test plan

• No ferrlabs-k8s left as runs-on: in reusable workflows (only as a default override mention in input descriptions)
• FerrFlow's next Security scan run picks up on ubuntu-latest instead of queuing forever
• Private consumers (none currently in use) can override via the existing runner input