fix: tighten workflow permissions, add security hardening, and fix uv tool invocations

[jmeridth]

What

Move elevated permissions from workflow level to job level in mark-ready-when-ready and stale workflows so each job only holds the permissions it actually needs. Add step-security/harden-runner to all six workflows that define steps. Add CodeQL SAST scanning and dependency-review workflows. Add pre-commit configuration with gitleaks, formatting hooks, and local linter hooks. Fix Makefile to invoke flake8, pytest, pylint, and mypy via uv run python -m since they lack console script entry points in the uv venv.

Why

Workflow-level write permissions apply to every job in the workflow, granting broader access than necessary. Moving them to job level follows the principle of least privilege. Harden-runner audits outbound network calls from GitHub-hosted runners, improving supply-chain visibility. CodeQL and dependency-review close gaps in static analysis and vulnerable-dependency detection. The Makefile commands failed under uv because those packages don't install console scripts; python -m ensures the tools are always found.

Notes

• The uv run to uv run python -m change also affects CI since python-ci calls make lint and make test
• auto-labeler.yml, pr-title.yml, and release.yml use reusable workflows at the job level so harden-runner cannot be added there; it must go in the reusable workflow definitions instead
• pylint --fail-under=9.0 was intentionally removed to match upstream convention

[zkoppert]

The Autobuild step in codeql.yml is a no-op for Python since CodeQL analyzes source directly without a build step. Please remove the Autobuild step and its surrounding comments to keep the workflow clean.

[zkoppert]

LGTM - minor note: consider removing the Autobuild step from codeql.yml since it's a no-op for Python.