fix: release gate severity back to critical (known HIGH deps) (#950)

The self-scan gate was bumped to `--fail-on-severity high` in #944 but
our dependency chain has known HIGH CVEs (pyopenssl cap from snowflake,
etc.) that are tracked and assessed as non-exploitable. Reverting to
critical-only gate so releases aren't blocked by accepted risk.

HIGH findings remain visible in workflow logs and Security tab.

Author: msaad00

.github/workflows/release.yml

@@ -158,7 +158,7 @@ jobs:
           uv run agent-bom scan --self-scan \
             --format sarif \
             -o sarif/release-self-dep.sarif \
-            --fail-on-severity high \
+            --fail-on-severity critical \
             --quiet
 
       - name: Upload release self-scan SARIF