fix: Skip security job when CI workflow is called from PyPI publish

The security job requires security-events: write permission, but when
the CI workflow is called as a reusable workflow from PyPI publish,
it's not allowed to have that permission.

Changes:
- Add if: github.event_name \!= 'workflow_call' to security job
- Security scanning will only run on direct CI triggers (push, PR)
- Allows PyPI workflow to call CI workflow without permission conflicts

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: codebydivine

.github/workflows/ci.yml

@@ -99,6 +99,7 @@ jobs:
 
   security:
     runs-on: ubuntu-latest
+    if: github.event_name != 'workflow_call'
     permissions:
       security-events: write
       contents: read