chore(security): tighten rulesets (rebase-drop + CodeQL/Scorecard gating + tag-signing) + scorecard PR trigger

[bilbospocketses]

Cross-repo Tier B security parity sweep. svgedit + OAO + ws-scrcpy-web all landed equivalent ruleset tightening in parallel sessions today; this PR brings CM to parity, plus a CM-specific Scorecard-as-required-check extra. Relayed from another session — verified state-deltas pre-apply.

Ruleset changes (already applied via gh api PUT before this PR)

Branch ruleset 16554261

• `pull_request.allowed_merge_methods` `["merge","squash","rebase"]` → `["squash","merge"]`. Repo-level `allow_merge_commit=false` masks the `merge` entry, so effective methods = `[squash]` only. Matches signed-repo discipline per `feedback_pr_workflow.md` (rebase skips the GitHub web-flow signing path, producing unsigned commits that fail `required_signatures`).
• `required_status_checks` expanded from 1 to 5 contexts: `build-and-test`, `Analyze (csharp)`, `Analyze (javascript-typescript)`, `Analyze (actions)` (CodeQL App, integration_id 15368), plus `Scorecard analysis` (CM-specific addition — catches supply-chain regressions the per-language CodeQL contexts don't, e.g. dangerous-workflow patterns, unpinned actions, token-permission drift).

Tag ruleset 16554225

• Added `required_signatures`. Pre-change rules `[deletion, non_fast_forward]` → `[deletion, non_fast_forward, required_signatures]`. Aligns with branch ruleset's signature requirement.

Repo-level

• `allow_rebase_merge` `true → false` (UI cleanup; ruleset is the binding gate).

scorecard.yml companion changes (in this PR)

1. Added `pull_request: branches: [master]` trigger. Without it, `Scorecard analysis` as a required check would never report on PRs and merges would block forever. Same-repo PRs use the head-branch's workflow file for trigger resolution, so this trigger takes effect from this PR forward — this PR's own Scorecard run is the proof.
2. Gated `publish_results: ${{ github.event_name == 'push' }}`. PR runs would otherwise publish a branch-HEAD SHA not on master, triggering the same OpenSSF webapp `imposter commit` 400 we hit in PR fix(security): scorecard-action — pin to commit SHA, not tag-object SHA #15 (different cause — branch-HEAD vs. tag-object — same SHA-not-on-commit-graph failure mode). On push events the score still publishes to api.securityscorecards.dev for the public viewer.

Deferrals

• Items Bump bunit from 1.32.7 to 2.7.2 #6 + Bump coverlet.collector from 6.0.2 to 10.0.1 #7 (secret-scanning `non_provider_patterns` + `validity_checks`) require GitHub Advanced Security ($49/committer/month). Confirmed empirically on svgedit that the PATCH calls silently no-op on free-tier public repos. Deferred indefinitely; unlikely to materialize for a solo personal-use repo. Documented in CHANGELOG.

SHA-pin audit (clean, no fixes needed)

All 8 distinct SHA pins across 17 occurrences in ci.yml / release.yml / scorecard.yml audited against the two new SOP memories shipped this session ([[dependabot-precise-version-comment]] + [[action-sha-pin-commit-not-tag-object]]). Every comment is precise (`# vX.Y.Z`); every SHA dereferences to `type: commit`. The two annotated-tag offenders (`ossf/scorecard-action`, `github/codeql-action`) were already remediated in PRs #15 + #16. No further pin-hygiene work needed.

Test plan

• CI `build-and-test` passes
• All 4 CodeQL Analyses report (csharp, javascript-typescript, actions, plus the CodeQL meta-check)
• `Scorecard analysis` reports on this PR (validates the new trigger; first PR to test it)
• All 5 required status checks satisfy the new ruleset — merge unblocks
• Post-merge: scorecard.yml push run on master commit publishes to scorecard.dev successfully (publish gate flips back to on)