chore(ci): comprehensive CI/CD audit fixes per best practices

Implements all 13 fixes identified in the CI/CD audit against
github-actions-ci-cd-best-practices.instructions.md

Critical fixes:

Remove hardcoded encryption key from playwright.yml (security)
Fix artifact filename mismatch in supply-chain-pr.yml (bug)
Pin GoReleaser to ~> v2.5 instead of latest (supply chain)
High priority fixes:

Upgrade CodeQL action from v3 to v4 in supply-chain-pr.yml
Add environment protection for release workflow
Fix shell variable escaping ($$ → $) in release-goreleaser.yml
Medium priority fixes:

Add timeout-minutes to playwright.yml (20 min)
Add explicit permissions to quality-checks.yml
Add timeout-minutes to codecov-upload.yml jobs (15 min)
Fix benchmark.yml permissions (workflow-level read, job-level write)
Low priority fixes:

Add timeout-minutes to docs.yml jobs (10/5 min)
Add permissions block to docker-lint.yml
Add timeout-minutes to renovate.yml (30 min)

.github/workflows/playwright.yml

@@ -23,6 +23,7 @@ jobs:
   playwright:
     name: E2E Tests
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     # Only run for PRs or manual dispatch
     if: >-
       github.event_name == 'workflow_dispatch' ||
@@ -31,7 +32,7 @@ jobs:
     env:
       CHARON_ENV: development
       CHARON_DEBUG: "1"
-      CHARON_ENCRYPTION_KEY: dGVzdC1lbmNyeXB0aW9uLWtleS1mb3ItY2ktMzJieXQ=
+      CHARON_ENCRYPTION_KEY: ${{ secrets.CHARON_CI_ENCRYPTION_KEY }}
 
     steps:
       - name: Checkout repository