Prepare forgejo-runner v12 upgrade (leaf nodes) (#250)

## Summary
- Review runner config against v12.7.0 defaults — added `shutdown_timeout: 3h`, no breaking changes found
- Add `validate_workflows` Dagger function using `forgejo-runner validate --directory .` inside upstream container
- All 6 workflows pass v12.7.0 schema validation
- Wire `mise run validate-workflows` task and pre-commit hook on `.forgejo/workflows/` changes
- Mark both leaf Mikado cards (`review-runner-config-v12`, `validate-workflows-against-v12`) complete

## Mikado State
After merge, `upgrade-k8s-runner` goal card has no unmet dependencies — ready to execute the actual image bump in a follow-up PR.

## Test Plan
- [x] `dagger call validate-workflows --src=.` passes (all 6 workflows OK)
- [x] Pre-commit hooks pass
- [ ] Reviewer: confirm `shutdown_timeout: 3h` addition to ConfigMap looks reasonable

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/250

.dagger/src/blumeops_ci/main.py

@@ -233,6 +233,27 @@ class BlumeopsCi:
             .file(f"/output/{output_file}")
         )
 
+    @function
+    async def validate_workflows(
+        self,
+        src: dagger.Directory,
+        runner_version: str = "12.7.0",
+    ) -> str:
+        """Validate Forgejo Actions workflow files against runner schema.
+
+        Runs forgejo-runner validate (available v9.0+) against all workflow
+        files in .forgejo/workflows/. Returns validation output. Fails if
+        any workflow has schema errors.
+        """
+        return await (
+            dag.container()
+            .from_(f"code.forgejo.org/forgejo/runner:{runner_version}")
+            .with_directory("/workspace", src)
+            .with_workdir("/workspace")
+            .with_exec(["forgejo-runner", "validate", "--directory", "."])
+            .stdout()
+        )
+
     @function
     async def flake_update(
         self, src: dagger.Directory, flake_path: str = "nixos/ringtail"