[FSSDK-12316] [Security] Fix curl|bash vulnerability in SourceClear scan (#294)

* [Security] Fix curl|bash vulnerability in SourceClear scan

- Replace dangerous curl|bash pattern with official Veracode SCA action
- Use veracode/veracode-sca@v2 for secure, maintained scanning
- Addresses script injection vulnerability in CI/CD pipeline
- Related to commit 363cb85 (previous GitHub Actions security fix)

Security improvements:
- Official action from Veracode organization (signed and verified)
- No untrusted remote code execution
- Protected against MITM attacks
- Same SRCCLR_API_TOKEN authentication preserved
- Action is actively maintained and receives security updates

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: Remove SourceClear scan workflow

Following Python SDK's approach (commit d651911), removing the
SourceClear GitHub Actions workflow to address security risks.

The curl|bash pattern in this workflow presented a security
vulnerability. Rather than replace with official action, we're
removing it entirely to align with the Python SDK security
remediation strategy.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: Tamara-Barum

.github/workflows/php.yml

@@ -22,20 +22,9 @@ jobs:
       - name: Run linting
         run: composer lint
 
-  source_clear:
-    name: Source Clear Scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Source clear scan
-        env:
-          SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
-        run: curl -sSL https://download.sourceclear.com/ci.sh | bash -s – scan
-
   unit_tests:
     name: Unit Tests ${{ matrix.php-versions }}
-    needs: [ linting, source_clear ]
+    needs: [ linting ]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false