chore(ci): add PR title validation workflow

[Gabrielpanga]

Summary

Ports pr-title.yml from pluggy-node. Runs on every PR targeting master and validates the title against Conventional Commits via amannn/action-semantic-pull-request@v6.1.1.

Allowed types: feat, fix, perf, chore, docs, style, refactor, test, build, ci, revert. Scope is optional.

The existing commit history in this repo already follows this style informally (fix:, feat(identity):, chore(deps):, etc.); the workflow just makes it enforced so titles can't drift.

Test plan

• After merge, open a PR with a non-conforming title (e.g. update stuff) and verify the check fails
• Open a PR with feat: add thing and verify the check passes

Other workflow gaps surfaced vs pluggy-node (not in this PR)

While porting this workflow, I diffed the rest of pluggy-node's CI against pluggy-java's. Surfacing here as follow-up candidates:

Gap	Impact	Suggested PR
release.yml tags + publishes without running tests first — if master is broken, a broken release ships to GitHub Packages	High (real defect)	Gate release.yml on mvn -B verify
Old action versions: actions/checkout@v2, actions/setup-java@v1 in maven.yml and maven-publish.yml	Medium (sec/perf, mechanical)	Bump to @v4
No supply-chain audit step in CI (Maven equivalent of pnpm audit). The gson CVE only surfaced via Dependabot, not CI	Medium	Add org.owasp:dependency-check-maven to maven.yml
Release uses raw GITHUB_TOKEN instead of scoped GitHub App token	Low (security hygiene)	Lower priority

Happy to tackle any of these as separate PRs.