fix: handle per-repo failures in phase9 instead of aborting

Previously, a failure on any repo (clone, commit, push) would kill the
entire script via set -e. Remaining repos were never processed and the
FAILED counter was always 0. Now clone and commit/push failures
increment FAILED and continue to the next repo, matching the pattern
used in phase4_migrate_repos.sh.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

phase9_security.sh

@@ -92,7 +92,11 @@ for repo in "${REPOS[@]}"; do
 
   REPO_URL="${GITEA_BASE_URL}/${GITEA_ORG_NAME}/${repo}.git"
   log_info "Cloning ${repo}..."
-  git_with_auth git clone -q "$REPO_URL" "$CLONE_DIR"
+  if ! git_with_auth git clone -q "$REPO_URL" "$CLONE_DIR"; then
+    log_error "Failed to clone ${repo}"
+    FAILED=$((FAILED + 1))
+    continue
+  fi
 
   # -------------------------------------------------------------------------
   # Step 2: Render security workflow template
@@ -109,13 +113,18 @@ for repo in "${REPOS[@]}"; do
   # -------------------------------------------------------------------------
   # Step 3: Commit and push
   # -------------------------------------------------------------------------
+  if ! (
     cd "$CLONE_DIR"
     git config user.name "Gitea Migration"
     git config user.email "migration@gitea.local"
     git add .gitea/workflows/security-scan.yml
     git commit -q -m "Add security scanning workflow (Semgrep + Trivy + Gitleaks)"
     git_with_auth git push -q origin HEAD
-  cd "$SCRIPT_DIR"
+  ); then
+    log_error "Failed to commit/push security workflow to ${repo}"
+    FAILED=$((FAILED + 1))
+    continue
+  fi
 
   log_success "Security workflow deployed to ${repo}"