feat: add dependabot, scorecard, and CI timeout

[pdettori]

Summary

Phase 4 of repo orchestration — completes the CI baseline. The repo already has strong ci.yaml and security-scans.yaml workflows; this PR fills the remaining gaps.

New files:

• .github/dependabot.yml: weekly automated dependency updates for:

  • GitHub Actions (SHA pins stay current)
  • Python/pip — root pyproject.toml
  • Python/pip — plugins/examples/nemocheck/pyproject.toml
  • Docker — root Dockerfile base image

• .github/workflows/scorecard.yml: OpenSSF Scorecard analysis

  • Triggers: push to main + weekly Monday schedule
  • Publishes results to GitHub Security tab and OpenSSF API (enables public badge)
  • All actions SHA-pinned

Modified:

• .github/workflows/ci.yaml: add timeout-minutes: 15 to prevent hung CI jobs

What was already in place (not changed)

Workflow	Coverage
ci.yaml	lint (pre-commit/ruff), unit tests (server + nemocheck), Python 3.11/3.12 matrix
security-scans.yaml	dependency review, shellcheck, yamllint, hadolint, bandit, trivy, codeql, action pinning
stale.yaml	org reusable stale issue/PR workflow
self-assign.yml	org reusable self-assign workflow

Test plan

• Dependabot PRs appear within a week of merge
• Scorecard workflow runs on merge to main (check Actions tab)
• CI matrix still passes (timeout added, no other changes)

[evaline-ju]

The build is a bit complicated for this repo currently but the other additions lgtm - perhaps we could leave that off for now?

[evaline-ju]

I'm currently testing a parallel of this (though not as generic) - image building here requires building some envoy protos which we've kept separately from the Dockerfile for now since the Python compilation was pretty messy

[pdettori]

Good call — removed build.yml in the latest commit. The PR now only contains dependabot.yml, scorecard.yml, and the timeout-minutes addition to ci.yaml.

[evaline-ju]

Good call — removed build.yml in the latest commit. The PR now only contains dependabot.yml, scorecard.yml, and the timeout-minutes addition to ci.yaml.

Thanks @pdettori! Would you mind updating the PR title + description to reflect this? I now have a separate PR for the image build in #75

[evaline-ju]

let's update the kagenti/maintainers reviewers with the new kagenti/plugin-adapters-maintainers group like in #73

[julianstephen]

Is this resolved? I don't think I have permissions to see group memembership.

[evaline-ju]

@julianstephen I see you in the expected group now

[pdettori]

Addressed review feedback:

1. PR title + description updated — removed "container build CI" references since build.yml was dropped (now handled separately in ci: Image build workflow #75)
2. Dependabot reviewers updated — changed from kagenti/maintainers to kagenti/plugin-adapters-maintainers across all 4 package ecosystems, consistent with feat: add security governance (CODEOWNERS, SECURITY.md, .gitignore hardening) #73