ci: fix broken Slack notification workflows (incoming-webhook)

[jpr5]

Summary

The Slack Open PRs Notification and Slack Issue Notification workflows failed on every run with SlackError: Missing input! Either a method or webhook is required. They used slackapi/slack-github-action's webhook-type: webhook-trigger (Slack Workflow Builder) pointed at a secret that was never set — but the org standard, and the only webhook URL available, is an incoming-webhook. This converts both workflows to the org-canonical incoming-webhook pattern so they deliver to #oss-alerts, and hardens the surrounding workflow code.

Slack notifications

• Both workflows: slackapi/slack-github-action pinned to b0fa283… (v2.1.0), webhook-type: incoming-webhook, message-shaped { "text": ... } payload built with toJSON(format(...)) so PR/issue titles escape into valid JSON.
• Standardized the webhook secret on SLACK_WEBHOOK_OSS_ALERTS (→ #oss-alerts), matching the rest of the org. The secret is set on this repo.
• Open-PRs workflow: skips the post when there are zero open PRs; paginates all open PRs (was silently capped at 30); guards a null PR author; uses a random GITHUB_OUTPUT delimiter.
• Corrected the DST-misleading cron comment.

e2e workflows (hardening, surfaced while touching .github/workflows/**)

• Pinned the CDK clone to --branch main to match the step's stated intent.
• Fail-loud CDK sourcing: assert the built tarball exists; robust npm pack --json | jq capture with a non-empty/null assertion; set -euo pipefail on the touched shell blocks.
• Validate CDK_REPO_NAME / CDK_REPO_TOKEN secrets before the clone, with an operator-facing error message.
• Fixed the e2e-tests-full concurrency group (dropped a dead github.event.pull_request.number reference).
• Single-sourced the AWS region default; added type: string to the aws_region input.
• Corrected inaccurate comments (Bedrock substring-filter scope, dispatch-only region note, DST cron comment).
• Corrected a stale aws-actions/configure-aws-credentials version comment (# v6 → # v6.1.1) so the repo's zizmor static-analysis gate passes on workflow changes.

Test plan

• Triggered the open-PRs workflow via workflow_dispatch — posted the digest to #oss-alerts (HTTP 200, no "Missing input" error).
• actionlint and zizmor (--min-severity medium) clean on all four workflow files.
• CI green: build (20.x/22.x/24.x), lint, typecheck, format, zizmor static analysis, validate-pr-title.
• e2e workflow changes are verified by actionlint/zizmor/static review only — not run live (they require AWS OIDC + create billable/limited resources). The changes are behavior-preserving except the intended --branch main pin.

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	42.44%	7169 / 16891
🔵	Statements	41.84%	7602 / 18165
🔵	Functions	40.14%	1273 / 3171
🔵	Branches	41.03%	4803 / 11706

Generated in workflow #29 for commit 7afdbb0 by the Vitest Coverage Report Action