[ci-scan] Fix ci-failure-scan-feedback protected-files dot-folder rejection

The ci-failure-scan-feedback workflow proposes edits to
.github/workflows/ci-failure-scan.md, but gh-aw v0.71.5 enforces a
default protected-files rule that blocks any patch touching a top-level
.* directory (including .github/), independently of allowed-files. Every
scheduled run failed at the safe_outputs step with:

  Cannot create pull request: patch modifies protected files
  (.github/workflows/ci-failure-scan.md). Add them to the allowed-files
  configuration field or set protected-files: fallback-to-issue ...

Opt the .github/ directory out of the dot-folder rule on both
create-pull-request and push-to-pull-request-branch by adding a
protected-files block with policy: blocked + exclude: [.github/]. The
allowed-files entry still restricts edits to a single file
(.github/workflows/ci-failure-scan.md), so the effective surface is
unchanged; only the redundant dot-folder gate is lifted. All other
default protections (package manifests, CODEOWNERS, AGENTS.md, etc.)
remain in force.

Lock file regenerated with gh aw compile; manual pat_pool patch on the
detection job (gh-aw issue #30232) reapplied.

Verified failing run: https://github.com/dotnet/runtime/actions/runs/26619056447

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Milos Kotlar

.github/workflows/ci-failure-scan-feedback.lock.yml

@@ -52,12 +52,20 @@ safe-outputs:
     max: 1
     allowed-files:
       - ".github/workflows/ci-failure-scan.md"
+    protected-files:
+      policy: blocked
+      exclude:
+        - .github/
     labels: [agentic-workflows]
     allowed-labels: [agentic-workflows]
   push-to-pull-request-branch:
     max: 1
     allowed-files:
       - ".github/workflows/ci-failure-scan.md"
+    protected-files:
+      policy: blocked
+      exclude:
+        - .github/
   update-pull-request:
     max: 1
   create-issue: