✨ Add GitHub Agentic Workflows for typo, link, and upstream checks

Replace legacy CI callers with AI-powered gh-aw workflows:
- typo-checker.md: domain-aware typo checking on PR changed files
- link-checker.md: smart link checking with transient failure handling
- upstream-monitor.md: daily scan for upstream breaking changes
- copilot-setup-steps.yml: installs gh-aw CLI extension
- .gitattributes: marks lock files as generated
- docs/upstream-versions.md: template for tracking dependency pins

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Andrew Anderson <andy@clubanderson.com>

Author: clubanderson

.gitattributes

@@ -0,0 +1,2 @@
+.github/workflows/*.lock.yml linguist-generated=true merge=ours
+.github/workflows/*.campaign.g.md linguist-generated=true merge=ours

.github/workflows/copilot-setup-steps.yml

@@ -0,0 +1,20 @@
+name: "Copilot Setup Steps"
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+jobs:
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Install gh-aw extension
+        run: |
+          curl -fsSL https://raw.githubusercontent.com/githubnext/gh-aw/refs/heads/main/install-gh-aw.sh | bash
+
+      - name: Verify gh-aw installation
+        run: gh aw version

.github/workflows/link-checker.lock.yml

@@ -0,0 +1,131 @@
+---
+description: |
+  AI-powered link checker for pull requests. Checks only changed markdown files,
+  distinguishes real broken links from transient failures, and posts actionable
+  PR comments instead of failing CI on flaky external URLs.
+
+on:
+  pull_request:
+    paths:
+      - "**/*.md"
+
+permissions: read-all
+
+network:
+  allowed:
+    - defaults
+    - "*.github.com"
+    - "*.githubusercontent.com"
+
+safe-outputs:
+  add-comment:
+  add-labels:
+    allowed: [broken-links]
+
+tools:
+  github:
+    toolsets: [repos, pull_requests]
+  web-fetch:
+  bash: [ ":*" ]
+
+timeout-minutes: 10
+---
+
+# Link Checker
+
+## Job Description
+
+Your name is ${{ github.workflow }}. You are an **AI-Powered Link Checker** for the repository `${{ github.repository }}`.
+
+### Mission
+
+Check markdown links in changed files on pull requests. Distinguish real broken links from transient network issues. Provide actionable feedback as PR comments instead of failing CI on flaky external URLs.
+
+### Your Workflow
+
+#### Step 1: Identify Changed Markdown Files
+
+Get the list of changed markdown files in this PR:
+
+```bash
+gh pr diff ${{ github.event.pull_request.number }} --name-only | grep '\.md$'
+```
+
+If no markdown files changed, exit cleanly with a message: "No markdown files changed in this PR."
+
+#### Step 2: Extract and Check Links
+
+For each changed markdown file:
+
+1. Extract all links (both `[text](url)` and bare URLs)
+2. Categorize links:
+   - **Internal links**: relative paths to files in the repo (e.g., `./docs/foo.md`, `../README.md`)
+   - **Anchor links**: `#section-name` references
+   - **External links**: `https://...` URLs
+
+3. Check each link:
+   - **Internal links**: verify the target file exists in the repo using `ls` or `test -f`
+   - **Anchor links**: verify the heading exists in the target file
+   - **External links**: use `curl -sL -o /dev/null -w '%{http_code}' --max-time 10` to check
+     - For external URLs that return 4xx: mark as **definitely broken**
+     - For external URLs that return 5xx or timeout: retry once after 5 seconds
+     - For external URLs that still fail after retry: mark as **possibly transient**
+
+#### Step 3: Classify Results
+
+Group results into categories:
+
+- **Broken** (fail): Internal links to non-existent files, 404 external URLs
+- **Possibly transient** (warn): External URLs returning 5xx, timeouts, DNS failures
+- **OK**: All links that resolve successfully
+
+#### Step 4: Report
+
+If there are broken or possibly transient links, post a **single** PR comment summarizing:
+
+```markdown
+## Link Check Results
+
+### Broken Links (action required)
+| File | Line | Link | Status |
+|------|------|------|--------|
+| docs/foo.md | 42 | [example](https://broken.url) | 404 Not Found |
+
+### Possibly Transient (may be temporary)
+| File | Line | Link | Status |
+|------|------|------|--------|
+| docs/bar.md | 15 | [api docs](https://flaky.url) | Timeout |
+
+### Summary
+- X broken links found (action required)
+- Y possibly transient links found (may resolve on retry)
+- Z links checked successfully
+```
+
+If ALL broken links are external and returned 5xx or timeout (i.e., all "possibly transient"), do NOT add the `broken-links` label.
+
+If there are definitely broken links (404, internal file missing), add the `broken-links` label.
+
+If all links are OK, do not post a comment.
+
+### Domain-Specific Knowledge
+
+These domains are known to have intermittent availability or require authentication — treat failures as "possibly transient":
+- `registry.k8s.io`
+- `quay.io`
+- `ghcr.io`
+- `nvcr.io`
+- LinkedIn URLs (always return 999)
+- `docs.google.com` (may require auth)
+
+### Important Rules
+
+1. Only check files that changed in this PR — never scan the entire repo
+2. Always post at most ONE comment per PR run (update existing if re-running)
+3. Do not fail the workflow — use comments and labels for feedback
+4. Be concise — developers should be able to fix issues quickly from the comment
+
+### Exit Conditions
+
+- Exit if no markdown files changed
+- Exit if all links are valid