… tool invocations (#702)

* fix: tighten workflow permissions, add security hardening, and fix uv tool invocations

## What

Move elevated permissions from workflow level to job level across four workflows
(mark-ready-when-ready, scorecard, stale, contributor_report) so each job only
holds the permissions it actually needs. Add step-security/harden-runner to all
eight workflows that define steps. Add CodeQL SAST scanning and dependency-review
workflows. Add pre-commit configuration with gitleaks, formatting hooks, and local
linter hooks. Fix Makefile to invoke flake8, pytest, pylint, and mypy via
`uv run python -m` since they lack console script entry points in the uv venv.
Upgrade PyJWT from 2.11.0 to 2.12.1 to address CVE-2026-32597.

## Why

Workflow-level write permissions apply to every job in the workflow, granting
broader access than necessary. Moving them to job level follows the principle of
least privilege. Harden-runner audits outbound network calls from GitHub-hosted
runners, improving supply-chain visibility. CodeQL and dependency-review close
gaps in static analysis and vulnerable-dependency detection. The Makefile commands
failed under uv because those packages don't install console scripts; `python -m`
ensures the tools are always found. PyJWT <= 2.11.0 doesn't validate the RFC 7515
`crit` header parameter (CVSS 7.5).

## Notes

- The `uv run` to `uv run python -m` change also affects CI since python-package calls `make lint` and `make test`
- release.yml, auto-labeler.yml, and pr-title.yml use reusable workflows at the job level so harden-runner cannot be added there; it must go in the reusable workflow definitions instead
- pylint was also changed to `python -m` beyond what the upstream stale-repos PR did, since it failed the same way as flake8/mypy/pytest
- PyJWT is a transitive dependency; verify downstream consumers aren't relying on the old crit-header-ignored behavior
- The scorecard workflow previously used `permissions: read-all` which granted read access to all scopes; now explicitly scoped to only what's needed

Signed-off-by: Jason Meridth <jmeridth@gmail.com>

* chore: drop autobuild step of codeql from code review

Signed-off-by: jmeridth <jmeridth@gmail.com>

---------

Signed-off-by: Jason Meridth <jmeridth@gmail.com>
Signed-off-by: jmeridth <jmeridth@gmail.com>

…#708)

Bumps the dependencies group with 1 update: [numpy](https://github.com/numpy/numpy).


Updates `numpy` from 2.4.2 to 2.4.3
- [Release notes](https://github.com/numpy/numpy/releases)
- [Changelog](https://github.com/numpy/numpy/blob/main/doc/RELEASE_WALKTHROUGH.rst)
- [Commits](numpy/numpy@v2.4.2...v2.4.3)

---
updated-dependencies:
- dependency-name: numpy
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Add --no-dev to the uv run ENTRYPOINT so that dev dependencies
(black, mypy, pylint, etc.) are not re-downloaded on every action
invocation. The build step already uses --no-dev during uv sync,
but uv run was resolving the full dependency graph at runtime.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>