ci(.github): add GitHub Actions workflows from hve-core

- add pr-validation.yml orchestrating linting on pull requests
- add main.yml for CI on pushes to main branch
- add codeql-analysis.yml for Python security scanning
- add dependency-review.yml for PR dependency security checks
- add individual reusable workflows: spell-check, markdown-lint, table-format, ps-script-analyzer, link-lang-check, markdown-link-check
- add Markdown-Link-Check.ps1 script and config

🔧 - Generated by Copilot

Author: WilliamBerryiii

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,54 @@
+name: CodeQL Security Analysis
+
+on:
+  schedule:
+    # Weekly scan: Sundays at 4 AM UTC
+    - cron: '0 4 * * 0'
+  workflow_call:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['python']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended,security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0
+        with:
+          category: "/language:${{ matrix.language }}"
+
+      - name: Add job summary
+        if: always()
+        run: |
+          echo "## CodeQL Security Analysis Complete" >> $GITHUB_STEP_SUMMARY
+          echo "**Language:** ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Queries:** security-extended, security-and-quality" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "📊 View results in the Security tab under Code Scanning" >> $GITHUB_STEP_SUMMARY

.github/workflows/dependency-review.yml

@@ -0,0 +1,30 @@
+name: Dependency Review
+
+on:
+  pull_request:
+    branches: [main, develop]
+  workflow_call:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    name: Review Dependencies
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.3.4
+        with:
+          fail-on-severity: moderate
+          comment-summary-in-pr: always

.github/workflows/link-lang-check.yml

@@ -0,0 +1,64 @@
+name: Link Language Check
+
+on:
+  workflow_call:
+    inputs:
+      soft-fail:
+        description: 'Whether to continue on language link violations'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+jobs:
+  link-lang-check:
+    name: Link Language Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.10.2
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Create logs directory
+        shell: pwsh
+        run: |
+          New-Item -ItemType Directory -Force -Path logs | Out-Null
+
+      - name: Run Link Language Check
+        shell: pwsh
+        run: |
+          $params = @{}
+
+          if ('${{ inputs.soft-fail }}' -eq 'true') {
+            $params['SoftFail'] = $true
+          }
+
+          & scripts/linting/Invoke-LinkLanguageCheck.ps1 @params
+        continue-on-error: ${{ inputs.soft-fail }}
+
+      - name: Upload link language check results
+        if: always()
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4.4.3
+        with:
+          name: link-lang-check-results
+          path: logs/link-lang-check-results.json
+          retention-days: 30
+
+      - name: Check results and fail if needed
+        if: ${{ !inputs.soft-fail }}
+        shell: pwsh
+        run: |
+          if ($env:LINK_LANG_CHECK_FAILED -eq 'true') {
+            Write-Host "Link language check failed and soft-fail is false. Failing the job."
+            exit 1
+          }

.github/workflows/main.yml

@@ -0,0 +1,54 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  # Spell checking using cspell
+  spell-check:
+    name: Spell Check
+    uses: ./.github/workflows/spell-check.yml
+    permissions:
+      contents: read
+
+  # Markdown linting using markdownlint-cli2
+  markdown-lint:
+    name: Markdown Lint
+    uses: ./.github/workflows/markdown-lint.yml
+    permissions:
+      contents: read
+
+  # Markdown table formatting check
+  table-format:
+    name: Table Format
+    uses: ./.github/workflows/table-format.yml
+    permissions:
+      contents: read
+
+  # PowerShell script analysis
+  psscriptanalyzer:
+    name: PSScriptAnalyzer
+    uses: ./.github/workflows/ps-script-analyzer.yml
+    with:
+      changed-files-only: false
+    permissions:
+      contents: read
+
+  # Link language locale check
+  link-lang-check:
+    name: Link Language Check
+    uses: ./.github/workflows/link-lang-check.yml
+    permissions:
+      contents: read
+
+  # Markdown link validation
+  markdown-link-check:
+    name: Markdown Link Check
+    uses: ./.github/workflows/markdown-link-check.yml
+    permissions:
+      contents: read

.github/workflows/markdown-link-check.yml

@@ -0,0 +1,66 @@
+name: Markdown Link Check
+
+on:
+  workflow_call:
+    inputs:
+      soft-fail:
+        description: 'Whether to continue on broken links'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+jobs:
+  markdown-link-check:
+    name: Check Markdown Links
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.10.2
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@b9b25d45f70a5d94d88496aa4896bf9ed8f49b67 # v4.1.0
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Create logs directory
+        shell: pwsh
+        run: |
+          New-Item -ItemType Directory -Force -Path logs | Out-Null
+
+      - name: Run markdown link check
+        id: link-check
+        shell: pwsh
+        run: |
+          & scripts/linting/Markdown-Link-Check.ps1
+        continue-on-error: ${{ inputs.soft-fail }}
+
+      - name: Upload markdown link check results
+        if: always()
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4.4.3
+        with:
+          name: markdown-link-check-results
+          path: logs/markdown-link-check-results.json
+          retention-days: 30
+
+      - name: Check results and fail if needed
+        if: ${{ !inputs.soft-fail && steps.link-check.outcome == 'failure' }}
+        shell: pwsh
+        run: |
+          Write-Host "Markdown link check failed and soft-fail is false. Failing the job."
+          exit 1

.github/workflows/markdown-lint.yml

@@ -0,0 +1,79 @@
+name: Markdown Lint
+
+on:
+  workflow_call:
+    inputs:
+      soft-fail:
+        description: 'Whether to continue on markdown lint violations'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+jobs:
+  markdown-lint:
+    name: Markdown Lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.10.2
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@b9b25d45f70a5d94d88496aa4896bf9ed8f49b67 # v4.1.0
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run markdown lint
+        id: markdown-lint
+        run: |
+          npm run lint:md > markdown-lint-output.txt 2>&1 || echo "MARKDOWN_LINT_FAILED=true" >> $GITHUB_ENV
+          cat markdown-lint-output.txt
+        continue-on-error: true
+
+      - name: Create annotations
+        if: env.MARKDOWN_LINT_FAILED == 'true'
+        run: |
+          echo "::warning::Markdown lint found violations. Review markdown-lint-output.txt artifact for details."
+
+      - name: Upload markdown lint results
+        if: always()
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4.4.3
+        with:
+          name: markdown-lint-results
+          path: markdown-lint-output.txt
+          retention-days: 30
+
+      - name: Add job summary
+        if: always()
+        run: |
+          echo "## Markdown Lint Results" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ env.MARKDOWN_LINT_FAILED }}" == "true" ]; then
+            echo "❌ **Status**: Failed" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Markdown linting violations detected. Please review the artifact for details." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "✅ **Status**: Passed" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "No markdown linting violations detected." >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Fail job if violations found
+        if: env.MARKDOWN_LINT_FAILED == 'true' && !inputs.soft-fail
+        run: |
+          echo "Markdown lint failed"
+          exit 1