ci: supply-chain hardening (gitleaks, Dependabot, zizmor) + develop/main branch model

[VijitSingh97]

Closes #117. Part of the tooling epic #116; the broader pre-commit hook set is left to #118.

Targets develop. This PR also adopts the develop/main branch model (see below); develop is now the repo default. It'll ride into main at the 1.1 release.

RigForge is already supply-chain-hardened where it counts (SHA-pinned actions, version+commit-pinned & verified XMRig build, checksum-verified CI tool installs). This PR adds only the cross-cutting gaps from #117 — it does not redo that work.

1. gitleaks — secret scanning

• New .github/workflows/security.yml gitleaks job scans the full git history for committed secrets (pool credentials, tokens, the Worker setup: fetch the stratum access-password → default-on stratum auth (Pithead #208 · #152 Phase 2) #113 stratum access-password) on every push and PR.
• The binary is version- and checksum-pinned (8.30.1, sha256 verified), mirroring the existing shellcheck/shfmt install pattern — reproducible, no runner-image drift, no apt mirror flakiness.
• Matching .pre-commit-config.yaml hook pinned to the same gitleaks version so a leak is caught locally before it's ever pushed (local == CI).

2. Dependabot

• .github/dependabot.yml for the github-actions ecosystem only — RigForge is pure shell, so there's no pip/npm/docker ecosystem to track. Keeps the hand-pinned action SHAs current (bumps the pin and the trailing version comment) and surfaces action advisories. Bumps roll up into one weekly PR.

3. zizmor — workflow audit

• New security.yml zizmor job static-audits the workflows (template injection, over-broad GITHUB_TOKEN, unpinned actions, credential persistence). Pinned to 1.25.2 via pipx.
• Online audits are on (zizmor's default): GH_TOKEN lets the known-vulnerable-actions audit cross-reference our pinned actions against the GitHub Advisory Database, so a disclosed CVE fails the gate. Runs on push/PR plus a weekly schedule, so a freshly-published advisory trips against the default branch even with no open PRs. Complements Dependabot: zizmor blocks the merge, Dependabot opens the bump.
• To make the audit clean, hardened the existing workflows:
  • ci.yml: top-level least-privilege permissions: contents: read.
  • ci.yml + release.yml: persist-credentials: false on every actions/checkout.

Branch model (mirrors Pithead)

• develop is now the default/integration branch; main is the release branch. develop merges to main at each release (1.1 onward), and tags are cut from main.
• ci.yml + security.yml run on push: [main, develop]; the coverage gate now diffs against the PR's actual base branch (github.base_ref) instead of a hardcoded origin/main, so patch coverage stays correct once develop diverges.
• CONTRIBUTING.md / RELEASING.md document the model and the release promotion flow.

Acceptance (#117)

• gitleaks gate green in CI + pre-commit hook active
• .github/dependabot.yml (github-actions) live
• zizmor clean (no allowlist needed)

Validation

• gitleaks 8.30.1 — no leaks found over full history (168 commits) and the working tree.
• zizmor 1.25.2 — No findings to report (exit 0) across all three workflows, offline and online, after the hardening (baseline was 12 findings: 6 artipacked, 6 excessive-permissions).

Scope notes

• The broader pre-commit hooks (shellcheck/shfmt/yamllint/markdownlint + freebies) and .editorconfig are tooling: DX glue + config/docs lint (.editorconfig, pre-commit, yamllint, markdownlint + lychee) #118's deliverable; this PR only seeds .pre-commit-config.yaml with the gitleaks hook so tooling: DX glue + config/docs lint (.editorconfig, pre-commit, yamllint, markdownlint + lychee) #118 extends it cleanly.

🤖 Generated with Claude Code