Add application security CI workflows

[Copilot]

• Create .github/dependabot.yml for Dependabot version updates (composer + GitHub Actions)
• Create .github/workflows/dependency-review.yml for dependency review on PRs
• Create .github/workflows/scorecard.yml for OpenSSF Scorecard
• Create .github/workflows/release.yml for release artifact attestation and SBOMs
• Create .github/workflows/lint.yml for PHP code linting (phpcs PSR-12 + phpstan level 5)
• Update composer.json to add dev linting dependencies (php_codesniffer, phpstan)
• Add phpcs.xml and phpstan.neon configuration files
• Create README.md with OpenSSF Scorecard badge
• Fix PSR-12 violations in src/Client.php and src/Exception/HttpException.php:
  • Split long constructor signatures onto multiple lines (132/129 chars → PSR-12 compliant)
  • Add spaces around all string concatenation operators (.)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Application security in CI</issue_title>
<issue_description>This issue tracks the rollout of application security in CI.

Requires workflow updates:

• Dependabot Version updates
• dependency review
• OpenSSF scorecard and best practices (badges in README)
• release artifact attestation
• release SBOMs
• coverage, if possible (badge in README)
• code linters

Requires repository config updates, after workflows updates are merged:

• Dependabot Alerts
• Dependabot Security updates
• CodeQL
• secret scanning and push protection
• private vulnerability reporting</issue_description>

Comments on the Issue (you are @copilot in this section)

@Schnitzel @copilot can you implement the requested changes?

• Fixes Application security in CI #1

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Schnitzel]

@copilot can you fix the failing linting?

[Copilot]

@copilot can you fix the failing linting?

Fixed in 30351fc. The PHP CodeSniffer was reporting two PSR-12 violations in the existing source files:

1. Lines too long — both constructor signatures exceeded 120 chars (src/Client.php: 132 chars, src/Exception/HttpException.php: 129 chars). Split each onto multiple lines.
2. Concatenation operator spacing — 8 occurrences of 'string'.expression without spaces around . in src/Client.php. Added spaces on both sides throughout.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/PHPCSStandards/PHP_CodeSniffer/zipball/0ca86845ce43291e8f5692c7356fccf3bcf02bf4
  • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/6VtP6L /usr/bin/composer install --prefer-dist --no-progress --no-interaction -q (http block)
• https://api.github.com/repos/php-fig/container/zipball/c71ecc56dfe541dbd90c5360474fbc405f8d5963
  • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/6VtP6L /usr/bin/composer install --prefer-dist --no-progress --no-interaction -q (http block)
• https://api.github.com/repos/php-fig/log/zipball/f16e1d5863e37f8d8c2a01719f5b34baa2b714d3
  • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/6VtP6L /usr/bin/composer install --prefer-dist --no-progress --no-interaction -q (http block)
• https://api.github.com/repos/phpstan/phpstan/zipball/c6f73a2af4cbcd99c931d0fb8f08548cc0fa8224
  • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/6VtP6L /usr/bin/composer install --prefer-dist --no-progress --no-interaction -q (http block)
• https://api.github.com/repos/symfony/deprecation-contracts/zipball/63afe740e99a13ba87ec199bb07bbdee937a5b62
  • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/6VtP6L /usr/bin/composer install --prefer-dist --no-progress --no-interaction -q (http block)
• https://api.github.com/repos/symfony/http-client-contracts/zipball/75d7043853a42837e68111812f4d964b01e5101c
  • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/6VtP6L /usr/bin/composer install --prefer-dist --no-progress --no-interaction -q (http block)
• https://api.github.com/repos/symfony/http-client/zipball/84bb634857a893cc146cceb467e31b3f02c5fe9f
  • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/6VtP6L /usr/bin/composer install --prefer-dist --no-progress --no-interaction -q (http block)
• https://api.github.com/repos/symfony/polyfill-php83/zipball/17f6f9a6b1735c0f163024d959f700cfbc5155e5
  • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/6VtP6L /usr/bin/composer install --prefer-dist --no-progress --no-interaction -q (http block)
• https://api.github.com/repos/symfony/service-contracts/zipball/45112560a3ba2d715666a509a0bc9521d10b6c43
  • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/6VtP6L /usr/bin/composer install --prefer-dist --no-progress --no-interaction -q (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)