… tool invocations (#431)

* fix: tighten workflow permissions, add security hardening, and fix uv tool invocations

## What

Move elevated permissions from workflow level to job level across three workflows
(mark-ready-when-ready, scorecard, stale) so each job only holds the permissions it
actually needs. Add step-security/harden-runner to all eight workflows that define steps.
Add CodeQL SAST scanning and dependency-review workflows. Add pre-commit configuration
with gitleaks, formatting hooks, and local linter hooks. Fix Makefile to invoke flake8,
pytest, pylint, and mypy via `uv run python -m` since they lack console script entry
points in the uv venv. Upgrade PyJWT from 2.11.0 to 2.12.1 to address CVE-2026-32597.

## Why

Workflow-level write permissions apply to every job in the workflow, granting broader
access than necessary. Moving them to job level follows the principle of least privilege.
Harden-runner audits outbound network calls from GitHub-hosted runners, improving
supply-chain visibility. CodeQL and dependency-review close gaps in static analysis and
vulnerable-dependency detection. The Makefile commands failed under uv because those
packages don't install console scripts; `python -m` ensures the tools are always found.
PyJWT <= 2.11.0 doesn't validate the RFC 7515 `crit` header parameter (CVSS 7.5).

## Notes

- The `uv run` to `uv run python -m` change also affects CI since python-ci calls `make lint` and `make test`
- release.yml, auto-labeler.yml, and pr-title.yml use reusable workflows at the job level so harden-runner cannot be added there; it must go in the reusable workflow definitions instead
- The scorecard workflow previously used `permissions: read-all` which granted read access to all scopes; now explicitly scoped to only what's needed
- PyJWT is a transitive dependency; verify downstream consumers aren't relying on the old crit-header-ignored behavior

Signed-off-by: jmeridth <jmeridth@gmail.com>

* chore: drop autobuild step of codeql from code review

Signed-off-by: jmeridth <jmeridth@gmail.com>

---------

Signed-off-by: jmeridth <jmeridth@gmail.com>

Signed-off-by: jmeridth <jmeridth@gmail.com>

…en_runner

Bumps [kenyonj/mark-ready-when-ready](https://github.com/kenyonj/mark-ready-when-ready) from 33b13c51ba23786efb933701ef253352baf05bdd to b6279addd55dd13208965a9eff24b2cf1989a8ef.
- [Release notes](https://github.com/kenyonj/mark-ready-when-ready/releases)
- [Commits](kenyonj/mark-ready-when-ready@33b13c5...33b13c5)

---
updated-dependencies:
- dependency-name: kenyonj/mark-ready-when-ready
  dependency-version: 33b13c51ba23786efb933701ef253352baf05bdd
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github-community-projects/contributors](https://github.com/github-community-projects/contributors) from 1.7.8 to 2.0.4.
- [Release notes](https://github.com/github-community-projects/contributors/releases)
- [Commits](0d5adc3...08ba119)

---
updated-dependencies:
- dependency-name: github-community-projects/contributors
  dependency-version: 2.0.4
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.5...v2.33.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>