fix(ci): provide CS_* creds to bench-eql for fixture generation

With bench.sh now running test:sqlx:prep, fixture:generate:all encrypts via
cipherstash-client and needs ZeroKMS auth (CS_CLIENT_ACCESS_KEY + CS_WORKSPACE_CRN)
plus a client key (CS_CLIENT_ID + CS_CLIENT_KEY); without them it fails with
'Auth strategy error: Not authenticated'. Add the four secrets to the bench job
env, mirroring test-eql.yml. (bench-eql triggers are push:main/schedule/dispatch,
all main-repo, so no fork-PR creds exposure.)

Author: tobyhede

.github/workflows/bench-eql.yml

@@ -41,6 +41,15 @@ jobs:
 
     env:
       POSTGRES_VERSION: "17"
+      # test:sqlx:prep regenerates the per-type fixtures by encrypting plaintext
+      # through cipherstash-client, which needs BOTH a ZeroKMS auth credential
+      # (CS_CLIENT_ACCESS_KEY + CS_WORKSPACE_CRN) AND a client key (CS_CLIENT_ID +
+      # CS_CLIENT_KEY). Without them fixture:generate:all fails with
+      # "Auth strategy error: Not authenticated". Mirrors test-eql.yml.
+      CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
+      CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
+      CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
+      CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
 
     steps:
       - uses: actions/checkout@v4