ci: supply-chain workflow fails before creating jobs

[stackbilt-admin]

Summary

The package release path is green, but the push-triggered supply-chain workflow is failing before it creates jobs or logs.

Observed during the v1.11.0 release pass:

• CI run for faacc42 succeeded.
• Publish to npm release workflow for v1.11.0 succeeded and published @stackbilt/llm-providers@1.11.0 with provenance.
• .github/workflows/supply-chain.yml failed on push with no jobs and no downloadable logs.

Run evidence:

• Failed supply-chain run: https://github.com/Stackbilt-dev/llm-providers/actions/runs/26710627004
• Successful CI run: https://github.com/Stackbilt-dev/llm-providers/actions/runs/26710626027
• Successful publish run: https://github.com/Stackbilt-dev/llm-providers/actions/runs/26710714484

This failure also appears on earlier pushes, so it is not introduced by the v1.11.0 package changes.

Likely area

.github/workflows/supply-chain.yml calls reusable workflows from Stackbilt-dev/stackbilt_llc:

• .github/workflows/supply-chain-sbom.yml
• .github/workflows/supply-chain-dep-review.yml

The referenced reusable workflow files exist at the pinned SHA, but GitHub marks the caller run as failed before materializing any jobs. That usually points to a workflow-reference, permissions, or reusable-workflow call validation problem.

Acceptance criteria

• Pushes to main create supply-chain jobs instead of failing at workflow setup.
• SBOM artifact generation still runs for pushes.
• Dependency review still runs for PRs only.
• The workflow remains suitable for a public OSS package.

Current release status

Not a v1.11.0 release blocker: @stackbilt/llm-providers@1.11.0 is published and the publish workflow passed all package gates.