Changes

ci(prow): focus secret gate on Jenkins credential misuse risks (#4541)

## Summary
- narrow `pull-verify-secret-scan` trigger scope to Jenkins
credential-risk files only (`pipelines/jobs/libraries/prow-jobs`)
- switch gitleaks from whole-repo scan to incremental commit-range scan
(`PULL_BASE_SHA..PULL_PULL_SHA`)
- add `.ci/verify-jenkins-credential-policy.sh` to block high-risk
credential misuse patterns in changed Groovy/YAML files

## Why
Continue FLA-109 remaining scope based on Architect TDS v1.1: focus on
credential misuse/abuse risk in Jenkins task surface and reduce
duplicated broad scanning.

## Test
- `bash -n .ci/verify-secret-scan.sh`
- `bash -n .ci/verify-jenkins-credential-policy.sh`
- `PULL_BASE_SHA=$(git merge-base HEAD origin/main) PULL_PULL_SHA=HEAD
.ci/verify-jenkins-credential-policy.sh`
 (commit: 0ab9f0d)