chore: harden dependency and workflow automation

[devin-ai-integration]

Summary

Applies the same dependency and workflow automation hardening shipped in agentuity/sdk#1471 to this repository.

Adds:

• renovate.json — Renovate config with config:best-practices, dependency dashboard, semantic commits, GitHub Action digest pinning, npm release-age gate (3 days), lock file maintenance, and major-update approval gate. Configured for bun because every example uses bun.lock.
• .github/workflows/gitleaks.yml — Gitleaks secret scan on PRs, merge group, daily, and manual dispatch.
• .github/workflows/osv-scanner-pr.yml — OSV-Scanner diff scan that fails on newly introduced vulnerabilities and uploads SARIF. Runs recursively so every example is scanned.
• .github/workflows/osv-scanner-nightly.yml — Nightly full OSV-Scanner via the reusable workflow.
• .github/workflows/trivy.yml — Trivy filesystem scan for CRITICAL/HIGH vulnerabilities, uploads SARIF.
• .github/workflows/actionlint.yml — Actionlint on workflow changes.
• .github/actionlint.yaml — Declares known self-hosted runner labels.

All new workflows declare a minimal permissions: scope, blank out GITHUB_TOKEN, use persist-credentials: false, and pin every third-party action to a commit digest.

Review & Testing Checklist for Human

• Confirm the GITLEAKS_LICENSE org secret is available so the gitleaks workflow can run (it's referenced via secrets.GITLEAKS_LICENSE).
• Verify CI passes — new scanners (Trivy, OSV-Scanner PR) may surface preexisting issues across the many example sub-projects that need to be triaged or suppressed.
• Once merged, expect Renovate to open many initial PRs (digest pinning + per-example lock-file maintenance). Use the dependency dashboard to manage the queue.

Notes

This repo currently has no existing GitHub Actions workflows, so only the new security workflows and the renovate.json are added — no existing workflow modifications are needed. The scanners run with --recursive, so every example sub-project is scanned in one CI run.

Link to Devin session: https://app.devin.ai/sessions/cd54221cc1e34e1e8f95b6c7fea17f53
Requested by: @jhaynie

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[coderabbitai]

Warning

Rate limit exceeded

@devin-ai-integration[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 58 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ca8c3fc9-4984-4fd9-8b2b-46c215137f9d

📥 Commits

Reviewing files that changed from the base of the PR and between a572ccb and a1fa3b8.

📒 Files selected for processing (7)

• .github/actionlint.yaml
• .github/workflows/actionlint.yml
• .github/workflows/gitleaks.yml
• .github/workflows/osv-scanner-nightly.yml
• .github/workflows/osv-scanner-pr.yml
• .github/workflows/trivy.yml
• renovate.json

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.