Add GitHub Action Checking that Zstd Runs Successfully Under CET

[felixhandte]

Given that we do not currently run our tests on any platforms that have hardware CET support, merging #2992 presented a risk that we could introduce breakage for our users that we were not in a position to detect. This PR uses the Intel SDE tool to emulate CET enforcement, and validates that zstd runs correctly in that environment.

I validated that this test fails when an indirect jump is made to a target that is not marked with an endbr instruction, with the following patch:

--- a/lib/decompress/huf_decompress_amd64.S
+++ b/lib/decompress/huf_decompress_amd64.S
@@ -303,7 +303,8 @@ HUF_decompress4X1_usingDTable_internal_bmi2_asm_loop:
     movq 16(%rsp), %ip3
 
     /* Re-compute olimit */
-    jmp .L_4X1_compute_olimit
+    lea .L_4X1_compute_olimit(%rip), %rax
+    jmp *%rax
 
 #undef GET_NEXT_DELT
 #undef DECODE_FROM_DELT
@@ -535,7 +536,8 @@ HUF_decompress4X2_usingDTable_internal_bmi2_asm_loop:
 
     cmp %op3, 48(%rsp)
     ja .L_4X2_loop_body
-    jmp .L_4X2_compute_olimit
+    lea .L_4X2_compute_olimit(%rip), %rax
+    jmp *%rax
 
 #undef DECODE
 #undef RELOAD_BITS