feat: Add shared CDK deploy workflow

[amitai-getzler]

Adds a reusable CDK deploy workflow with:

• Nicely formatted Slack notifications
• Change summary with emoji indicators (🟢 add | 🟡 update | 🔴 destroy)
• Dry-run mode support
• Configurable inputs for different CDK setups

Example Slack output:

✅ CDK Deploy Succeeded

Repository: vi-technologies/iac-aws-org
Triggered by: vi-simon

Stacks:
• SagemakerUnifiedStudioProd
• SagemakerUnifiedStudioStaging

📊 *3 changes:* 🟢 1 add | 🟡 2 update | 🔴 0 destroy

🟢  S3::Bucket NewBucket
🟡  Lambda::Function MyFunction
🟡  IAM::Role ServiceRole

[wiz-inc-dcb26549ac]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	2
SAST Findings	-
Software Management Findings	-
Total	2

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[wiz-inc-dcb26549ac]

 IaC Finding

Workflow should not have write permissions to sensitive scopes
on resource jobs.deploy.permissions.id-token

More Details

This rule checks that GitHub workflow does not use unnecessarily elevated token permissions. This rule fails when a workflow grants write permissions to sensitive scopes like `contents`, `pull-requests`, `packages`, or other privileged operations. Excessive token permissions increase the potential impact of a workflow compromise, allowing attackers to modify repository contents, merge pull requests, or perform other damaging actions. To prevent this risk, always apply the principle of least privilege by restricting token permissions to only what's absolutely necessary for each workflow.

Expected

Job 'deploy' should not have write permission for 'id-token'

Found

Job 'deploy' has write permission for sensitive scope 'id-token'

Security Frameworks: wf-id-1, wf-id-175

Rule ID: a2b066f6-edc5-4e09-b8bf-466ea0188f6e

[wiz-inc-dcb26549ac]

 IaC Finding

Workflow should have permissions limitations
on resource name

More Details

This rule checks that GitHub workflow has an empty permissions block to enforce least privilege. This rule fails when the workflow doesn't have a permissions block or has a non-empty permissions block with `write-all` scope, which can grant excessive permissions to workflow actions. Excessive permissions in GitHub workflows increase the risk surface in case of a compromise, potentially allowing attackers to access sensitive resources or perform unauthorized actions. To prevent this risk, always implement least privilege by explicitly defining an empty permissions block for all workflows.

Expected

GitHub workflow should have empty permissions block

Found

GitHub workflow doesn't have a permissions block defined

Security Frameworks: wf-id-175, wf-id-1

Rule ID: 6d67a192-c40a-484d-a850-1acc164bc09b