[codex] Add GitHub Actions consumer example

[stacknil]

Brief Design Summary

This PR adds a docs-only GitHub Actions consumer example for sbom-diff-risk.

The new page shows how another repository could install sbom-diff-risk from a GitHub Release wheel instead of production PyPI, run compare, write JSON, Markdown, summary JSON, and optional SARIF outputs, upload those outputs as CI artifacts, and apply an explicit local threshold to summary.json.

The example avoids secrets, private paths, internal repository names, hidden network behavior, and built-in dependency safety verdict claims. It explicitly states that production PyPI publishing remains intentionally deferred.

No existing repository workflows, package metadata, CLI behavior, report schema, examples, release tags, or publishing status changed.

Files Changed

• tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md
• tools/sbom-diff-and-risk/README.md

Validation

• git diff --check passed.
• Confirmed relative link targets exist.
• Confirmed .github/workflows/ unchanged.
• Confirmed package version remains 0.6.0.
• No Python tests run because this is docs-only.

Out of Scope

• No runtime behavior changes
• No CLI behavior changes
• No JSON schema changes
• No examples changes
• No workflow changes
• No package version bump
• No tag or GitHub Release
• No PyPI/TestPyPI publishing
• No production PyPI workflow