ci: add safe-chain in ci

[fegmorte]

Description of changes

Follow the recommendations of security team following the tanstack hack
https://zama-ai.slack.com/archives/C0ATA5RDAAX/p1778574361812809
https://github.com/AikidoSec/safe-chain

Issue ticket number and link

PR Checklist

I attest that all checked items are satisfied. Any deviation is clearly justified above.

• Title follows conventional commits (e.g. chore: ...).
• Tests added for every new pub item and test coverage has not decreased.
• Public APIs and non-obvious logic documented; unfinished work marked as TODO(#issue).
• unwrap/expect/panic only in tests or for invariant bugs (documented if present).
• No dependency version changes OR (if changed) only minimal required fixes.
• No architectural protocol changes OR linked spec PR/issue provided.
• No breaking deployment config changes OR devops label + infra notified + infra-team reviewer assigned.
• No breaking gRPC / serialized data changes OR commit marked with ! and affected teams notified.
• No modifications to existing versionized structs OR backward compatibility tests updated.
• No critical business logic / crypto changes OR ≥2 reviewers assigned.
• No new sensitive data fields added OR Zeroize + ZeroizeOnDrop implemented.
• No new public storage data OR data is verifiable (signature / digest).
• No unsafe; if unavoidable: minimal, justified, documented, and test/fuzz covered.
• Strongly typed boundaries: typed inputs validated at the edge; no untyped values or errors cross modules.
• Self-review completed.

Dependency Update Questionnaire (only if deps changed or added)

Answer in the Cargo.toml next to the dependency (or here if updating):

1. Ownership changes or suspicious concentration?
2. Low popularity?
3. Unusual version jump?
4. Lacking documentation?
5. Missing CI?
6. No security / disclosure policy?
7. Significant size increase?

More details and explanations for the checklist and dependency updates can be found in CONTRIBUTING.md

[github-actions]

Consolidated Tests Results 2026-05-19 - 08:15:58

Test Results

7 passed

Details

7 tests
not captured
junit-to-ctrf
build-and-test test-reporter #2199
ci: add safe-chain in ci #596

test-reporter: Run #2199

Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Pending ⏳	Other ❓	Flaky 🍂	Duration ⏱️
7	7	0	0	0	0	0	not captured

🎉 All tests passed!

Tests

View All Tests

Test Name	Status	Flaky	Duration
k8s_test_crs_uniqueness	✅		42.6s
k8s_test_insecure_keygen_encrypt_and_public_decrypt	✅		2m 5s
k8s_test_insecure_keygen_encrypt_multiple_types	✅		2m 23s
k8s_test_keygen_and_crs	✅		2m 4s
k8s_test_keygen_uniqueness	✅		5m 22s
k8s_test_centralized_insecure	✅		57.4s
nightly_full_gen_tests_default_k8s_centralized_sequential_crs	✅		1.8s

_{🍂 No flaky tests in this run.}

Github Test Reporter by CTRF 💚

🔄 This comment has been updated

[dvdplm]

@fegmorte A little description would make this a bit easier to review... :) What is safe-chain and why do we need it?