ci: add centralized workflows and security scan templates

- _build-reusable.yml: reusable build with SLSA L3 attestation, SBOM, license report
- scorecard.yml: reusable OpenSSF Scorecard (no badge commit)
- workflow-templates/codeql.yml: CodeQL template (job key: codeql)
- workflow-templates/semgrep.yml: Semgrep template (job key: semgrep)

All actions SHA-pinned. Templates are reference copies — each repo
copies and adapts. Status check contract names documented inline.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Fieldnote-Echo

.github/workflow-templates/.gitkeep

@@ -0,0 +1,45 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2025-2026 Project Navi contributors
+#
+# STATUS CHECK CONTRACT: Job name "codeql" is required by org ruleset.
+# Do NOT rename without updating org rulesets.
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "30 5 * * 1"
+
+permissions: {}
+
+jobs:
+  # CONTRACT: This job name "codeql" is a required status check in org rulesets.
+  codeql:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b  # v2.15.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@c793b717bc78562f491db7b0e93a3a178b099162  # v4.32.5
+        with:
+          languages: python
+          queries: +security-extended
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@c793b717bc78562f491db7b0e93a3a178b099162  # v4.32.5
+
+      - name: Perform analysis
+        uses: github/codeql-action/analyze@c793b717bc78562f491db7b0e93a3a178b099162  # v4.32.5
+        with:
+          category: "/language:python"

.github/workflow-templates/codeql.yml

@@ -0,0 +1,37 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2025-2026 Project Navi contributors
+#
+# STATUS CHECK CONTRACT: Job name "semgrep" is a required status check in org rulesets.
+# Do NOT rename without updating org rulesets.
+name: Semgrep SAST
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "30 5 * * 1"
+
+permissions: {}
+
+jobs:
+  # CONTRACT: This job name "semgrep" is a required status check in org rulesets.
+  semgrep:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    container:
+      image: semgrep/semgrep@sha256:e04d2cb132288d90035db8791d64f610cb255b21e727b94db046243b30c01ae9
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Run Semgrep
+        run: semgrep scan --config p/python --config p/owasp-top-ten --sarif -o semgrep.sarif
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162  # v4.32.5
+        with:
+          sarif_file: semgrep.sarif
+        if: always()

.github/workflow-templates/semgrep.yml

@@ -0,0 +1,115 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2025-2026 Project Navi contributors
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      tag_name:
+        description: "Git tag for the release"
+        required: true
+        type: string
+      package_name:
+        description: "Python package name for smoke test import"
+        required: true
+        type: string
+      python_version:
+        description: "Python version to build with"
+        required: false
+        type: string
+        default: "3.12"
+
+permissions: {}
+
+jobs:
+  build:
+    name: Build and attest
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b  # v2.15.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: ${{ inputs.python_version }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098  # v7.3.1
+
+      - name: Build package
+        run: uv build
+
+      - name: Smoke test
+        env:
+          PKG_NAME: ${{ inputs.package_name }}
+        run: |
+          python -m venv .venv-smoke
+          .venv-smoke/bin/pip install dist/*.whl
+          .venv-smoke/bin/python -c "import $PKG_NAME"
+
+      - name: Generate SBOM (CycloneDX)
+        run: |
+          pip install cyclonedx-bom==4.7.0
+          cyclonedx-py environment -o sbom.cdx.json --output-format json
+
+      - name: Generate SBOM (SPDX)
+        uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11  # v0.23.0
+        with:
+          artifact-name: sbom.spdx.json
+          output-file: sbom.spdx.json
+
+      - name: Generate license report
+        run: |
+          pip install pip-licenses==5.0.0
+          pip-licenses --format=csv --output-file=licenses.csv
+          pip-licenses --format=plain --output-file=licenses.txt
+
+      - name: Generate release notes
+        run: |
+          pip install git-cliff==2.8.0
+          git cliff --latest --output RELEASE_NOTES.md || echo "No release notes generated"
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
+        with:
+          subject-path: "dist/*"
+
+      - name: Upload dist
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: dist
+          path: dist/
+
+      - name: Upload SBOMs
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: sbom
+          path: |
+            sbom.cdx.json
+            sbom.spdx.json
+
+      - name: Upload licenses
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: licenses
+          path: |
+            licenses.csv
+            licenses.txt
+
+      - name: Upload release notes
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: release-notes
+          path: RELEASE_NOTES.md

.github/workflows/.gitkeep

@@ -0,0 +1,38 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2025-2026 Project Navi contributors
+name: OpenSSF Scorecard
+
+on:
+  workflow_call:
+
+permissions: {}
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b  # v2.15.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a  # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162  # v4.32.5
+        with:
+          sarif_file: results.sarif