chore(ci): re-enable php-model seed auto-update (GHSA-qrr6-mg7r-m243)

[github-actions]

Description

Linear ticket: Refs Dependabot alert #1995

Addresses GHSA-qrr6-mg7r-m243 (HIGH): PHPUnit forwards PHP INI settings to child processes without neutralizing INI metacharacters, allowing argument injection via newlines in INI values. Patched in phpunit/phpunit@12.5.22.

The php-model-seed-update job in .github/workflows/update-seed.yml was pinned to if: false ("generator not actively supported"), so when the php SDK release 2.4.2 bumped phpunit to ^12.5.22 and PHP to 8.3 in the shared @fern-api/php-base PhpProject template, the Update Seed auto-PR pipeline only refreshed seed/php-sdk/**. seed/php-model/** stayed on phpunit ^9.0 / PHP 8.1, leaving GHSA-qrr6-mg7r-m243 still flagged by Dependabot on seed/php-model/multi-url-environment-reference/composer.json.

This PR restores the original if: condition (matching php-sdk-seed-update and the other generator jobs), so the matching Update Seed auto-PR will run for php-model on the next push to main (or on a manual workflow_dispatch with language=php). The downstream apply-update-seed-patches / create-pull-request matrix already includes php-model, so no other workflow changes are needed. The refreshed seed/php-model/** fixtures will land via the follow-up auto-PR rather than via hand-edits here.

Changes Made

• .github/workflows/update-seed.yml: re-enable php-model-seed-update by uncommenting the original if: condition and removing the if: false override
• Deleted .github/dependabot-alerts/alert-1995.md scaffold per the PR instructions
• Updated README.md generator (if applicable) — N/A

Testing

• Unit tests added/updated — N/A (CI workflow-only change)
• Manual testing completed:
  • diff of the restored if: block against php-sdk-seed-update confirms they match exactly
  • Pre-commit hooks pass

cc @davidkonigsberg

Link to Devin session: https://app.devin.ai/sessions/c54f0fbc02ea496dadad26385b98f64d