ci: consolidate lint+test into ci.yml — commitizen, manifests drift, codecov

Replaces stub lint.yml and test.yml with a proper pipeline:
- lint job: conventional commits, CRD drift check, golangci-lint, gitleaks
- build job: multi-arch (amd64 + arm64), depends on lint
- test job: envtest + codecov upload, depends on lint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: syscod3

.github/workflows/ci.yml

@@ -0,0 +1,86 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+env:
+  GO_VERSION: "1.25"
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0   # commitizen needs full history
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      # Conventional commit validation — skip for dependabot
+      - name: Check commit messages
+        if: github.actor != 'dependabot[bot]'
+        run: |
+          pip install commitizen --quiet
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            cz check --rev-range ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}
+          else
+            cz check --rev-range HEAD~1..HEAD
+          fi
+
+      # CRD drift — fail if types were changed without re-running make manifests
+      - name: Check manifests are up to date
+        run: |
+          make manifests
+          git diff --exit-code || (echo "Run 'make manifests' and commit the result" && exit 1)
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: v2.8.0
+
+      - name: Install gitleaks
+        run: |
+          curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.24.2/gitleaks_8.24.2_linux_x64.tar.gz \
+            | tar -xz -C /usr/local/bin gitleaks
+
+      - name: Gitleaks
+        run: gitleaks detect --source . --no-git
+
+  build:
+    runs-on: ubuntu-latest
+    needs: lint
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Build
+        run: CGO_ENABLED=0 GOOS=linux GOARCH=${{ matrix.arch }} go build ./cmd/...
+
+  test:
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Run tests
+        run: make test
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@v5
+        with:
+          files: coverage.out
+          fail_ci_if_error: false