Fix GitHub advisory YAML indentation

[StantonMatt]

Fixes #1091.

This updates the GitHub advisory sync output so generated sequence values under advisory keys are indented under their parent key, including:

• patched_versions
• related.url

The formatter validates that reindented YAML parses back to the same data before using it, so nested raw GitHub payloads and multiline scalar text do not get silently rewritten if a shape is not safe to reformat.

Verification:

GEM_HOME=.codex-tmp/ruby-advisory-db/gems-ruby26 \
GEM_PATH=.codex-tmp/ruby-advisory-db/gems-ruby26 \
ruby -rlogger -Ilib -Ispec .codex-tmp/ruby-advisory-db/gems-ruby26/bin/rspec spec/github_advisory_sync_spec.rb

ruby -c lib/github_advisory_sync.rb
ruby -c spec/github_advisory_sync_spec.rb
git diff --check

[simi]

Is it needed to reinvent the yaml lint/format? Can't we use some existing tooling to make it happen?

[StantonMatt]

Good question. I did check the existing path before going this route: the repo currently has yamllint, but that only validates the advisory files; it does not rewrite the generated YAML. The Ruby stdlib/Psych emitter is also the source of the shape here. On the repo Ruby path, YAML.dump(data, indentation: 2) still emits sequences like:

related:
  url:
  - https://example.test/a
patched_versions:
- ">= 3.0.1"

So this PR is not trying to replace a formatter that is already wired in; it is a narrow post-process around Psych output, with a round-trip guard before writing it.

That said, I agree that a real formatter would be preferable if the project is comfortable adding one. I can look for a small existing tool that fits the repo and rework this, or keep this limited to generated GitHub advisory output if avoiding another dependency is the priority.