feat(workflows): add dotnet-ci + cpp-ci reusables; extend required.yml dispatch

Adds the two deferred reusable workflows:

- dotnet-ci.yml: restore, build, format check, test. Configurable
  dotnet-version (default 9.0.x), solution path, working-directory.
- cpp-ci.yml: CMake configure + build + test matrix across
  ubuntu/macos/windows (configurable). Harden-runner on Linux only
  (step-security action is Linux-native).

Extends required.yml to dispatch the two new languages, and adds
proto handling (security-only, no language build dispatched). New
inputs: dotnet-version, dotnet-solution, cpp-os-list, cpp-source-dir,
cpp-cmake-flags.

After this lands, these placeholder consumer PRs can be hardened to
call real CI:
- resq-software/dotnet-sdk#36 (dotnet)
- resq-software/viz#4 (dotnet)
- resq-software/vcpkg#6 (cpp)
- resq-software/ardupilot#1 (cpp)

Author: WomB0ComB0

.github/workflows/cpp-ci.yml

@@ -0,0 +1,70 @@
+# Copyright 2026 ResQ Software
+# SPDX-License-Identifier: Apache-2.0
+#
+# Reusable C++ CI — CMake configure + build + test. Matrix over OS.
+# Callable from any resq-software/* repo. Pairs with security-scan.yml.
+# SHA-pinned actions with trailing `# <tag>`.
+
+name: cpp-ci
+
+on:
+  workflow_call:
+    inputs:
+      os-list:
+        description: JSON array of runner OS labels.
+        type: string
+        required: false
+        default: '["ubuntu-latest","macos-latest","windows-latest"]'
+      source-dir:
+        description: Path containing CMakeLists.txt (or subproject path).
+        type: string
+        required: false
+        default: "."
+      build-dir:
+        type: string
+        required: false
+        default: "build"
+      cmake-flags:
+        description: Extra flags passed to `cmake -B <build-dir>`.
+        type: string
+        required: false
+        default: ""
+      build-config:
+        type: string
+        required: false
+        default: "Debug"
+      run-test:
+        type: boolean
+        required: false
+        default: true
+      timeout-minutes:
+        type: number
+        required: false
+        default: 30
+
+permissions:
+  contents: read
+
+jobs:
+  build-test:
+    name: ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: ${{ inputs.timeout-minutes }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ${{ fromJSON(inputs.os-list) }}
+    steps:
+      - name: Harden Runner
+        if: runner.os == 'Linux'
+        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176  # v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - name: Configure
+        run: cmake -B ${{ inputs.build-dir }} ${{ inputs.cmake-flags }} ${{ inputs.source-dir }}
+      - name: Build
+        run: cmake --build ${{ inputs.build-dir }} --config ${{ inputs.build-config }}
+      - if: ${{ inputs.run-test }}
+        name: Test
+        run: ctest --test-dir ${{ inputs.build-dir }} --output-on-failure -C ${{ inputs.build-config }}

.github/workflows/dotnet-ci.yml

@@ -0,0 +1,106 @@
+# Copyright 2026 ResQ Software
+# SPDX-License-Identifier: Apache-2.0
+#
+# Reusable .NET CI — restore, build, test, format check. Callable from
+# any resq-software/* repo with a .sln or csproj tree. Pairs with
+# security-scan.yml. SHA-pinned actions with trailing `# <tag>`.
+
+name: dotnet-ci
+
+on:
+  workflow_call:
+    inputs:
+      dotnet-version:
+        description: .NET SDK version (e.g. "9.0.x", or "global.json").
+        type: string
+        required: false
+        default: "9.0.x"
+      solution:
+        description: Path to .sln or csproj (defaults to repo root auto-detect).
+        type: string
+        required: false
+        default: ""
+      working-directory:
+        type: string
+        required: false
+        default: "."
+      configuration:
+        type: string
+        required: false
+        default: "Release"
+      run-format-check:
+        type: boolean
+        required: false
+        default: true
+      run-test:
+        type: boolean
+        required: false
+        default: true
+      timeout-minutes:
+        type: number
+        required: false
+        default: 20
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: ${{ inputs.timeout-minutes }}
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176  # v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25  # v4
+        with:
+          dotnet-version: ${{ inputs.dotnet-version }}
+      - name: Restore
+        run: dotnet restore ${{ inputs.solution }}
+      - name: Build
+        run: dotnet build ${{ inputs.solution }} -c ${{ inputs.configuration }} --no-restore
+
+  format:
+    if: ${{ inputs.run-format-check }}
+    name: Format check
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176  # v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25  # v4
+        with:
+          dotnet-version: ${{ inputs.dotnet-version }}
+      - run: dotnet format ${{ inputs.solution }} --verify-no-changes --severity warn
+
+  test:
+    if: ${{ inputs.run-test }}
+    name: Test
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: ${{ inputs.timeout-minutes }}
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176  # v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25  # v4
+        with:
+          dotnet-version: ${{ inputs.dotnet-version }}
+      - run: dotnet test ${{ inputs.solution }} -c ${{ inputs.configuration }} --verbosity normal

.github/workflows/required.yml

@@ -3,28 +3,29 @@
 #
 # Reusable CI aggregator. Each consumer repo calls this with a `lang`
 # input matching its `lang` custom-repo-property value. The workflow
-# dispatches to the matching language CI (rust|python|node|polyglot)
-# and always runs the org-wide security scan in parallel. The final
-# `required` job needs all upstream jobs — Ruleset A requires the
-# `required` status-check context.
+# dispatches to the matching language CI (rust|python|node|dotnet|cpp|
+# proto|polyglot) and always runs the org-wide security scan in
+# parallel. The final `required` job needs all upstream jobs — Ruleset
+# A requires the `required` status-check context.
 #
-# SHA-pinned actions with trailing `# <tag>` for Dependabot.
+# For `lang: proto` repos (e.g. resq-proto), only security scanning
+# runs — no language build is dispatched. Add a buf lint / breaking-
+# change workflow locally if you want extra checks.
 
 name: required
 
 on:
   workflow_call:
     inputs:
       lang:
-        description: One of rust|python|node|polyglot.
+        description: One of rust|python|node|dotnet|cpp|proto|polyglot.
         type: string
         required: true
       working-directory:
         type: string
         required: false
         default: "."
       codeql-languages:
-        description: JSON array for security-scan CodeQL input.
         type: string
         required: false
         default: "[]"
@@ -68,6 +69,26 @@ on:
         type: string
         required: false
         default: '["3.11","3.12","3.13"]'
+      dotnet-version:
+        type: string
+        required: false
+        default: "9.0.x"
+      dotnet-solution:
+        type: string
+        required: false
+        default: ""
+      cpp-os-list:
+        type: string
+        required: false
+        default: '["ubuntu-latest"]'
+      cpp-source-dir:
+        type: string
+        required: false
+        default: "."
+      cpp-cmake-flags:
+        type: string
+        required: false
+        default: ""
 
 permissions:
   contents: read
@@ -113,12 +134,30 @@ jobs:
       test-cmd: ${{ inputs.node-test-cmd }}
       build-cmd: ${{ inputs.node-build-cmd }}
 
+  dotnet:
+    if: ${{ inputs.lang == 'dotnet' || inputs.lang == 'polyglot' }}
+    name: .NET CI
+    uses: ./.github/workflows/dotnet-ci.yml
+    with:
+      dotnet-version: ${{ inputs.dotnet-version }}
+      solution: ${{ inputs.dotnet-solution }}
+      working-directory: ${{ inputs.working-directory }}
+
+  cpp:
+    if: ${{ inputs.lang == 'cpp' || inputs.lang == 'polyglot' }}
+    name: C++ CI
+    uses: ./.github/workflows/cpp-ci.yml
+    with:
+      os-list: ${{ inputs.cpp-os-list }}
+      source-dir: ${{ inputs.cpp-source-dir }}
+      cmake-flags: ${{ inputs.cpp-cmake-flags }}
+
+  # proto repos get security-only; nothing to dispatch here beyond that.
+
   # `required` is the single status-check context consumed by Ruleset A.
-  # Passes iff every dispatched language job AND security passed.
-  # Skipped jobs (lang-mismatch `if:` gates) are treated as success.
   required:
     name: required
-    needs: [security, rust, python, node]
+    needs: [security, rust, python, node, dotnet, cpp]
     if: always()
     runs-on: ubuntu-latest
     steps:
@@ -128,10 +167,12 @@ jobs:
           RUST_RESULT: ${{ needs.rust.result }}
           PYTHON_RESULT: ${{ needs.python.result }}
           NODE_RESULT: ${{ needs.node.result }}
+          DOTNET_RESULT: ${{ needs.dotnet.result }}
+          CPP_RESULT: ${{ needs.cpp.result }}
         run: |
           set -eu
           fail=0
-          for r in "$SECURITY_RESULT" "$RUST_RESULT" "$PYTHON_RESULT" "$NODE_RESULT"; do
+          for r in "$SECURITY_RESULT" "$RUST_RESULT" "$PYTHON_RESULT" "$NODE_RESULT" "$DOTNET_RESULT" "$CPP_RESULT"; do
             case "$r" in
               success|skipped|"") ;;
               *) echo "::error::Upstream job returned: $r"; fail=1 ;;