ci(semgrep): add unreturned-sdkdiag-AppendErrorf rule

Running this rule against `main` (without the fixes from this branch):

```console
% semgrep --config .ci/.semgrep.yml ./internal/service/
<snip>

    internal/service/s3/bucket_lifecycle_configuration.go
   ❯❯❱ ci.unreturned-sdkdiag-AppendErrorf
          Calls to `sdkdiag.AppendErrorf()` should be returned or set to the `diags` variable

          292┆ if err != nil {
          293┆   sdkdiag.AppendErrorf(diags, "waiting for S3 Bucket Lifecycle Configuration (%s) create:
               %s", d.Id(), err)
          294┆ }
            ⋮┆----------------------------------------
          390┆ if err != nil {
          391┆   sdkdiag.AppendErrorf(diags, "waiting for S3 Bucket Lifecycle Configuration (%s) update:
               %s", d.Id(), err)
          392┆ }

┌──────────────┐
│ Scan Summary │
└──────────────┘
Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Partially scanned: 8 files only partially analyzed due to parsing or internal Semgrep errors

Ran 34 rules on 6254 files: 12 findings.
```

The same rule run on this branch produces no findings.

.ci/.semgrep.yml

@@ -634,3 +634,28 @@ rules:
     patterns:
       - pattern-regex: "(Create|Read|Update|Delete)Context:"
     severity: ERROR
+
+  - id: unreturned-sdkdiag-AppendErrorf
+    languages: [go]
+    message: Calls to `sdkdiag.AppendErrorf()` should be returned or set to the `diags` variable
+    paths:
+      include:
+        - internal/
+    patterns:
+      - pattern: |
+          if err != nil {
+            sdkdiag.AppendErrorf($DIAGS, ...)
+          }
+      - pattern-not: |
+          if err != nil {
+            return sdkdiag.AppendErrorf($DIAGS, ...)
+          }
+      - pattern-not: |
+          if err != nil {
+            return ..., sdkdiag.AppendErrorf($DIAGS, ...)
+          }
+      - pattern-not: |
+          if err != nil {
+            $DIAGS = sdkdiag.AppendErrorf($DIAGS, ...)
+          }
+    severity: ERROR