feat: validate action

[reuvenharrison]

Summary

• New validate/ action that runs oasdiff validate against an OpenAPI spec and emits per-finding PR annotations via --format githubactions.
• Outputs findings (numeric count) so downstream steps can branch on it.
• When findings are reported, emits a ::notice:: annotation plus a GITHUB_STEP_SUMMARY link to the free review surface on oasdiff.com, mirroring the breaking action.
• fail-on-finding toggle (default true) lets callers run in visibility-only mode without failing CI.
• allow-external-refs toggle (default true, matching oasdiff's binary default); set to false when validating untrusted specs to prevent SSRF.

Test plan

• Run on a valid spec, expect 0 findings, exit 0, no annotations.
• Run on a spec with a missing info.version, expect 1 finding annotation on info: at the correct line, exit 1.
• Run with fail-on-finding: false on a spec with findings, expect annotations + step summary link, exit 0.
• Run with allow-external-refs: false on a spec with an external $ref, expect a finding annotation.
• Confirm outputs.findings is the numeric count and downstream if: steps.x.outputs.findings == '0' works.

🤖 Generated with Claude Code

[reuvenharrison]

Holding this PR until oasdiff v1.16.0 ships with the new validate subcommand (oasdiff #894). Once that release is tagged and tufin/oasdiff:v1.16.0 is published, I'll bump validate/Dockerfile to that tag and add CI tests matching the diff/breaking/changelog jobs (output assertion + output-to-file + fail-on-finding toggle + allow-external-refs toggle). As of v1.15.3, oasdiff validate does not exist, so the action would fail with 'unknown command' on every run.