refactor: use reusable workflow for semgrep (#311)

Updated the build-test-release workflow to use
[sast-scan](https://github.com/splunk/sast-scanning) owned by product
security team instead of using custom implementation.
Ref: https://splunk.atlassian.net/browse/ADDON-72309

Test workflow run:
https://github.com/splunk/splunk-add-on-for-servicenow/actions/runs/10596615468
Tested on PR:
splunk/splunk-add-on-for-servicenow#751

Workflow is not tested for the failure scenario because we need to have
blocker findings by the semgrep in order to fail the workflow. Currently
all rules are in monitor mode so any findings by the semgrep will be
non-blocker resulting in semgrep stage to pass everytime.
Discussion with the semgrep team:
https://splunk.slack.com/archives/C011ELTV7FG/p1724923496371529

Author: dvarasani-crest

.github/workflows/reusable-build-test-release.yml

@@ -305,19 +305,11 @@ jobs:
         with:
           extra_args: -x .github/workflows/exclude-patterns.txt --json --only-verified
           version: 3.77.0
-          
+
   semgrep:
-    runs-on: ubuntu-latest
-    name: security-sast-semgrep
-    container:
-      image: returntocorp/semgrep
-    steps:
-      - uses: actions/checkout@v4
-      - name: Semgrep
-        id: semgrep
-        run: semgrep ci
-        env:
-          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_PUBLISH_TOKEN }}
+    uses: splunk/sast-scanning/.github/workflows/sast-scan.yml@main
+    secrets:
+      SEMGREP_KEY: ${{ secrets.SEMGREP_PUBLISH_TOKEN }}
 
   test-inventory:
     runs-on: ubuntu-latest