SAST reusable workflow documentation and additional functionality

[pritchyspritch]

Added documentation for GitHub Compliance App, and logic to allow semgrep in case repo is private or developer preference.

Context

v1 of this workflow would not have worked for private repos due to licensing issues.

Changes proposed in this pull request

This version includes:

• checks to see if the repo is private which triggers semgrep instead of codeql
• the option to force semgrep if a team prefers it to codeql
• naming and uploading of artefacts so they can be picked up by the security teams reporting tools
• extra documentation to explain the compliance check, and how to ensure it runs in your pipeline
• the compliance job will now run so long as the repo is public, now that the app has been installed in this org and secrets are available

Guidance to review

Successful run on test repo, shows build breaking due to security issues found outside of SLA policies: https://github.com/DFE-Digital/test-codeql/actions/runs/9909251763

Checklist

• [X] I have performed a self-review of my code, including formatting and typos
• [X] I have cleaned the commit history
• [X] I have added the Devops label
• [ ] I have attached the pull request to the trello card