HC-1453 Pre-public release readiness

[aaryan-collab]

Summary

• Add Gitleaks secret-scanning workflow and baseline .gitleaksignore (parity with checkout-ios-example HC-1452 / PR HC-1453 Pre-public release readiness #8).
• Add Gradle build-verification workflow (assemble developmentDebug, unit tests, lint) with GitHub Packages auth for checkout-android-maven.
• Enable Dependabot for GitHub Actions.
• README: demonstration-only disclaimer, Support (docs.spreedly.com, spreedly.com/support), and Legal block (HC-1375 pattern).

Ticket: HC-1453

Type of change

• Documentation
• CI / repository configuration

Test plan

• Gitleaks Scan workflow passes on this PR
• Build Verification workflow passes on this PR
• Local: ./gradlew :app:assembleDevelopmentDebug :app:testDevelopmentDebugUnitTest :app:lintDevelopmentDebug
• README renders with disclaimer, Support, and Legal sections
• No repository visibility change (IS owns public flip + PVR after AE sign-off per HC-1453)

[Samy-O7]

IS approval - full DoD validation on this branch + bonus hardening accepted.

Verified per HC-1453 DoD (3 remaining items):

• d2 Demo disclaimer - PASS. README first paragraph: "This project is for demonstration and reference purposes only. It is not intended for use in production environments..."
• d3 Legal block - PASS. ## Legal with Terms (legal.spreedly.com/#terms), Privacy (legal.spreedly.com/#privacy-policy), License (Apache 2.0). Matches HC-1375 pattern.
• d4 Support pointers - PASS. ## Support with docs.spreedly.com + spreedly.com/support.

Bonus hardening (accepted):

• New Gitleaks Scan workflow at v8.18.1, hard-fail on detection, PR + push to main + manual dispatch - parity with checkout-ios-example pattern.
• New Build Verification workflow (assemble, unit tests, lint) with GitHub Packages auth.
• Dependabot enabled for GitHub Actions weekly.

Forter Maven credential note:
Reviewed the settings.gradle.kts fallback default for the Forter Maven repo (forter-android-sdk + HvYum...). Per Forter's official Android Studio integration docs, these are vendor-issued non-sensitive obscurity credentials shared across all integrators, and Forter explicitly instructs them to be committed to version control. Not a c1 violation. Acceptable for the public flip.

CI status: All 4 checks green (Gradle assemble/unit tests/lint, Analyze java-kotlin, Gitleaks Scan, CodeQL).

LGTM - ready to merge. Once merged on main, IS will flip d2/d3/d4 on HC-1453 + SEC-6997, then proceed with the public flip + PVR enable (same flow as the iOS + RN example repos shipped earlier today).