ci(features): pass only the secrets the called workflow actually needs

Replace `secrets: inherit` with an explicit `secrets:` map that
forwards only `ABLY_AWS_ACCOUNT_ID_SDK` to the called reusable
workflow.

With `secrets: inherit` every secret available to this repository is
implicitly handed to `ably/features/.github/workflows/sdk-features.yml`
on each invocation, including secrets that workflow does not need
(Sonatype publishing credentials, GPG signing keys, etc.). The called
workflow declares only one required secret on its `workflow_call`
trigger and otherwise relies on `GITHUB_TOKEN`, which reusable
workflows receive automatically from the caller and so does not need
to be passed via `secrets:`.

Closes 1 zizmor `secrets-inherit` finding.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: emptyhammond

.github/workflows/features.yml

@@ -11,4 +11,5 @@ jobs:
     uses: ably/features/.github/workflows/sdk-features.yml@6b3fc7a8ede2ebdd7a6325314f3a96c6466f1453 # main
     with:
       repository-name: ably-java
-    secrets: inherit
+    secrets:
+      ABLY_AWS_ACCOUNT_ID_SDK: ${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}