feat(naoru-ai): add naoru AI failure diagnosis to core build/deploy workflows

[clouddrove-ci]

What

Adds an opt-in naoru job to 5 core reusable workflows: tf-workflow, docker-build-push, helm-deploy, cf-deploy, ci.

On a failed run, naoru reads the failed job's logs (+ PR diff when present), asks an LLM for the root cause + a concrete fix, and posts it:

• a sticky PR comment when the run has a PR, or
• the job Step Summary on workflow_dispatch/schedule runs (no PR).

naoru: https://github.com/clouddrove/naoru — comment-only, never fails the build.

How it's wired

Each workflow gets a final job:

  naoru:
    needs: [<main job>]
    if: ${{ failure() }}
    ...
    steps:
      - env: { NAORU_KEY: ${{ secrets.NAORU_API_KEY }} }
        if: ${{ env.NAORU_KEY != '' }}
        uses: clouddrove/naoru@v0

Backward compatibility

• No NAORU_API_KEY set → the step is skipped (gated on the secret), job is a green no-op. Existing callers are unaffected.
• naoru is fail-safe: a bad/empty key produces a warning and exits 0; it never fails a build.
• Reusable workflows declare NAORU_API_KEY as an optional secret; ci.yml (not a reusable workflow) uses the repo secret directly.

To enable (per consuming repo/org)

1. Set an NAORU_API_KEY secret (OpenRouter key by default; provider/model overridable).
2. For reusable-workflow callers, pass it through (secrets: inherit or explicit NAORU_API_KEY:).

Scope

Core build/deploy set first. Scanners (prowler/tfsec/checkov), tf-drift (drift = expected), and PR-automation workflows intentionally excluded. Easy to extend later — same 1 job per workflow.

[clouddrove-ci]

Retitled with scope and added labels to satisfy PR validation.