chore(config): standardize `actions` sub-schema in artifact-retention.yml

[WilliamBerryiii]

Issue Description

PR #479 introduces an actions: sub-schema (with name/version/sha fields) under the new sbom_reports artifact type in .github/artifact-retention.yml. No other artifact type in the file uses this pattern, creating an inconsistency.

Documenting which GitHub Actions produce each artifact type is useful for traceability and SHA-pinning validation, but the pattern should be applied consistently or extracted.

Proposal

Decide on one of two approaches:

1. Standardize in-place — Add actions: blocks to existing artifact types that are produced by GitHub Actions (e.g., security_reports, build_artifacts, test_results).
2. Extract to a separate section — Move action-to-artifact mappings into a dedicated top-level key (e.g., action_mappings:) to keep artifact type definitions uniform.

Acceptance Criteria

• All artifact types that reference GitHub Actions use the same schema pattern
• artifact-retention.yml passes any existing YAML lint or schema validation
• Decision documented as a comment in this issue or in an ADR

References

• PR chore(security): add SBOM artifact retention policy #479 — introduced the actions: pattern under sbom_reports
• Issue chore(security): add SBOM artifact retention policy #453 — parent task for SBOM retention policy
• Issue feat(build): generate and release SBOM as part of release cycle #256 — parent epic for SBOM generation

[littleKitchen]

Went with Option B (extract to separate section). Added a top-level action_mappings: key — keeps artifact type definitions uniform. See #487.