feat(.github): Add GitHub workflows from hve-core (#22)

* build(scripts): add linting infrastructure with npm scripts

- add package.json with lint:md, lint:ps, lint:links, spell-check scripts
- migrate .markdownlint.json to .markdownlint-cli2.jsonc with ignores
- add PowerShell linting scripts from hve-core pattern
- add LintingHelpers module for GitHub Actions integration

🔧 - Generated by Copilot

* ci(.github): add GitHub Actions workflows from hve-core

- add pr-validation.yml orchestrating linting on pull requests
- add main.yml for CI on pushes to main branch
- add codeql-analysis.yml for Python security scanning
- add dependency-review.yml for PR dependency security checks
- add individual reusable workflows: spell-check, markdown-lint, table-format, ps-script-analyzer, link-lang-check, markdown-link-check
- add Markdown-Link-Check.ps1 script and config

🔧 - Generated by Copilot

* fix(.github): address Copilot review comments on PR #22

- link-lang-check: remove unused SoftFail param splatting
- link-lang-check: correct env var LINK_LANG_CHECK_FAILED to LINK_LANG_FAILED
- pr-validation: add pull-requests: write for dependency-review job
- dependency-review: remove duplicate pull_request trigger, add harden-runner
- package.json: use exact versions (remove ^ prefix)
- codeql-analysis: clarify time format to 04:00 UTC

🔧 - Generated by Copilot

* fix: add package-lock.json for npm caching in CI workflows

📦 - Generated by Copilot

* fix(build): lint only changed markdown files in PRs

- add changed-files detection step to markdown-lint workflow

- add changed-files detection step to markdown-link-check workflow

- skip lint/link-check when no markdown files changed

📦 - Generated by Copilot

* fix(docs): resolve markdown lint and link errors

- auto-fix blanks-around-lists and blanks-around-fences violations
- add LICENSE.md and ISSUE_TEMPLATE.md to lint ignores
- fix line length and emphasis-as-heading in README
- update Azure CLI URL to learn.microsoft.com

📝 - Generated by Copilot

# Conflicts:
#	.github/ISSUE_TEMPLATE.md
#	README.md

* fix(docs): correct broken link to OSMO workflow examples

🔗 - Generated by Copilot

* chore(docs): rename LICENSE.md to LICENSE

📄 - Generated by Copilot

* docs: update LICENSE references after rename

- Update README.md link to point to LICENSE instead of LICENSE.md
- Remove LICENSE.md from markdownlint ignores

📝 - Generated by Copilot

* fix(docs): resolve markdown lint errors and update linting workflows

- Fix 332 markdownlint errors across 24 files (tables, headings, code blocks)
- Revert workflows to lint all files instead of using changed-files filter
- Use 4-backtick wrapper in chatlog.prompt.md for nested code block template
- Restore SECURITY.md Microsoft boilerplate content

📝 - Generated by Copilot

* fix(docs): remove en-us path segment from Microsoft Docs URLs

- Remove en-us from 4 URLs in vpn/README.md and azureml-validation-job-debugging.md
- Reformat tables after URL changes

🔗 - Generated by Copilot

* fix(docs): correct broken relative links in templates and docs

- Fix issue template: README.md → ../../README.md, docs/ → ../../docs/
- Fix PR template: remove .github/ prefix from relative paths
- Fix debugging doc: update deploy/004-workflow path to workflows/azureml

🔗 - Generated by Copilot

Author: WilliamBerryiii

.github/ISSUE_TEMPLATE/00-general.md

@@ -45,14 +45,14 @@ Include any relevant information:
 
 <!-- Fill in if relevant to your issue -->
 
-| Component | Version |
-|-----------|---------|
-| OS | Ubuntu 22.04 / Windows 11 |
-| Python | 3.10.x / 3.11.x |
-| Terraform | 1.9.x |
-| Azure CLI | 2.x |
-| Isaac Sim | 4.5 / 5.0 |
-| GPU | NVIDIA RTX / A100 |
+| Component | Version                   |
+|-----------|---------------------------|
+| OS        | Ubuntu 22.04 / Windows 11 |
+| Python    | 3.10.x / 3.11.x           |
+| Terraform | 1.9.x                     |
+| Azure CLI | 2.x                       |
+| Isaac Sim | 4.5 / 5.0                 |
+| GPU       | NVIDIA RTX / A100         |
 
 ## Additional Notes
 
@@ -63,4 +63,4 @@ Include any relevant information:
 **Before submitting:**
 
 - [ ] I have searched [existing issues](https://github.com/Azure-Samples/azure-nvidia-robotics-reference-architecture/issues) for duplicates
-- [ ] I have reviewed the [README](README.md) and [documentation](docs/)
+- [ ] I have reviewed the [README](../../README.md) and [documentation](../../docs/)

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,4 +1,7 @@
+# Pull Request
+
 ## Description
+
 <!-- Brief description of changes. Link related issues using Closes #123 -->
 
 Closes #
@@ -34,8 +37,8 @@ Closes #
 
 ## Checklist
 
-- [ ] My code follows the [project conventions](.github/copilot-instructions.md)
-- [ ] Commit messages follow [conventional commit format](.github/instructions/commit-message.instructions.md)
+- [ ] My code follows the [project conventions](copilot-instructions.md)
+- [ ] Commit messages follow [conventional commit format](instructions/commit-message.instructions.md)
 - [ ] I have performed a self-review
 - [ ] Documentation updated as needed
 - [ ] No new linting warnings introduced

.github/copilot-instructions.md

@@ -13,20 +13,24 @@ Items in **HIGHEST PRIORITY** sections from attached instructions files override
 **Artifacts:** Do not create or modify tests, scripts, or one-off markdown docs unless explicitly requested.
 
 **Comment policy:** Never include thought processes, step-by-step reasoning, or narrative comments in code.
+
 * Keep comments brief and factual; describe **behavior/intent, invariants, edge cases**.
 * Remove or update comments that contradict the current behavior. Do not restate obvious functionality.
 * Do NOT add temporal or plan-phase markers (e.g. "Phase 1 cleanup", "... after migration", dates, or task references) to code files. When editing or updating any code files, always remove or replace these types of comments.
 
 **Conventions and Styling:** Always follow conventions and styling in this codebase FIRST for all changes, edits, updates, and new files.
+
 * Conventions and styling are in instruction files and must be read in with the `read_file` tool if not already added as an `<attachment>`.
 
 **Proactive fixes:** Always fix problems and errors you encounter, even if unrelated to the original request. Prefer root-cause, constructive fixes over symptom-only patches.
+
 * Always correct all incorrect or problematic conventions, styling, and redundant and/or misleading comments.
 
 **Deleting files and folders:** Use `rm` with the run_in_terminal tool when needing to delete files or folders.
 
 **Edit tools:** Never use `insert_edit_into_file` tool when other edit and file modification tools are available.
 
 **Memory and tracking work**: Always track work in Beads instead of Markdown.
+
 * All upcoming work, tracked work, issues, plans, todos, phases, tasks, and memory must always use the mcp_beads tools.
 * Don't ever use git commands for anything related to the mcp_beads tools and beads in general, its at the user's discretion when to use git commands and tools.

.github/instructions/commit-message.instructions.md

@@ -38,7 +38,6 @@ Scopes MUST be one of the following:
 - `(src)`
 - `(deploy)`
 
-
 ## Description
 
 - Description MUST be short and LESS THAN 100 bytes
@@ -62,7 +61,7 @@ For larger changes only:
 
 - Footer MUST start with a blank line
 - Must include an emoji that represents the change
-- Must end with ` - Generated by Copilot`
+- Must end with `- Generated by Copilot`
 
 ## Example Complete Commit Message - Large
 

.github/instructions/docs-style-and-conventions.instructions.md

@@ -39,12 +39,12 @@ Documents follow this section order when applicable:
 
 ### Heading Levels
 
-| Level | Usage |
-|-------|-------|
-| H1 (`#`) | Document title only, one per file |
-| H2 (`##`) | Major sections |
-| H3 (`###`) | Subsections within H2 |
-| H4+ | Avoid; restructure content instead |
+| Level      | Usage                              |
+|------------|------------------------------------|
+| H1 (`#`)   | Document title only, one per file  |
+| H2 (`##`)  | Major sections                     |
+| H3 (`###`) | Subsections within H2              |
+| H4+        | Avoid; restructure content instead |
 
 ### README Section Emojis
 
@@ -98,9 +98,9 @@ Use tables for structured information. Tables are scannable and align related da
 - Prerequisites with versions
 
 ```markdown
-| Script | Purpose |
-|--------|---------|
-| `01-deploy-robotics-charts.sh` | GPU Operator, KAI Scheduler |
+| Script                           | Purpose                               |
+|----------------------------------|---------------------------------------|
+| `01-deploy-robotics-charts.sh`   | GPU Operator, KAI Scheduler           |
 | `02-deploy-azureml-extension.sh` | AzureML K8s extension, compute attach |
 ```
 
@@ -280,10 +280,10 @@ This pattern appears frequently in AI-generated content:
 **Use tables when structure matters:**
 
 ```markdown
-| Component | Requirement |
-|-----------|-------------|
-| Storage | Blob containers for checkpoints |
-| Compute | GPU nodes with sufficient memory |
+| Component  | Requirement                           |
+|------------|---------------------------------------|
+| Storage    | Blob containers for checkpoints       |
+| Compute    | GPU nodes with sufficient memory      |
 | Networking | Private endpoints with DNS resolution |
 ```
 
@@ -329,10 +329,10 @@ Required fields: `title`, `description`. Add `ms.date` for versioned content.
 
 ## File Naming
 
-| Type | Convention | Example |
-|------|------------|---------|
-| README | `README.md` (uppercase) | `deploy/README.md` |
-| Guides | kebab-case | `mlflow-integration.md` |
+| Type       | Convention                  | Example                               |
+|------------|-----------------------------|---------------------------------------|
+| README     | `README.md` (uppercase)     | `deploy/README.md`                    |
+| Guides     | kebab-case                  | `mlflow-integration.md`               |
 | References | kebab-case with type suffix | `azureml-validation-job-debugging.md` |
 
 ## Checklist

.github/instructions/shell-scripts.instructions.md

@@ -100,34 +100,40 @@ info "Operation complete"
 <!-- <important-conventions> -->
 
 **Arguments:**
+
 - Short: `-h`, `-t` | Long: `--help`, `--tf-dir`
 - Value options: `shift 2` | Flags: `shift`
 - Unknown options: `fatal "Unknown option: $1"`
 
 **Variables:**
+
 - Always quote: `"$var"`, `"${array[@]}"`
 - Defaults: `var="${ENV_VAR:-default}"`
 - Booleans: `true`/`false` strings, test with `[[ "$var" == "true" ]]`
 
 **Output:**
+
 - Progress: `info "message"`
 - Warnings: `warn "message"`
 - Fatal errors: `fatal "message"`
 - Sections: `section "Title"`
 - Summaries: `print_kv "Key" "$value"`
 
 **Idempotent operations:**
+
 ```bash
 kubectl create ... --dry-run=client -o yaml | kubectl apply -f -
 helm repo add name url 2>/dev/null || true
 ```
 
 **Conditional output:**
+
 ```bash
 print_kv "Status" "$([[ $skip == true ]] && echo 'Skipped' || echo "$version")"
 ```
 
 **Array building:**
+
 ```bash
 args=(--version "$ver" --namespace "$ns")
 [[ -n "$extra" ]] && args+=(--set "$extra")
@@ -138,14 +144,14 @@ command "${args[@]}"
 
 ## Library Functions (lib/common.sh)
 
-| Function | Purpose |
-|----------|---------|
-| `info`, `warn`, `error`, `fatal` | Colored logging |
-| `require_tools tool1 tool2` | Validate CLI tools exist |
-| `read_terraform_outputs "$dir"` | Read terraform JSON |
-| `tf_get "$json" "path" "default"` | Extract optional value |
-| `tf_require "$json" "path" "desc"` | Extract required value |
-| `connect_aks "$rg" "$cluster"` | Get AKS credentials |
-| `ensure_namespace "$ns"` | Create namespace idempotently |
-| `section "Title"` | Print section header |
-| `print_kv "Key" "$val"` | Print key-value pair |
+| Function                           | Purpose                       |
+|------------------------------------|-------------------------------|
+| `info`, `warn`, `error`, `fatal`   | Colored logging               |
+| `require_tools tool1 tool2`        | Validate CLI tools exist      |
+| `read_terraform_outputs "$dir"`    | Read terraform JSON           |
+| `tf_get "$json" "path" "default"`  | Extract optional value        |
+| `tf_require "$json" "path" "desc"` | Extract required value        |
+| `connect_aks "$rg" "$cluster"`     | Get AKS credentials           |
+| `ensure_namespace "$ns"`           | Create namespace idempotently |
+| `section "Title"`                  | Print section header          |
+| `print_kv "Key" "$val"`            | Print key-value pair          |

.github/prompts/chatlog.prompt.md

@@ -37,7 +37,7 @@ Manage conversation details by creating and maintaining structured chatlog files
 * Create the `.copilot-tracking/chatlogs/` directory if it doesn't exist
 * Generate a new chatlog file with the following structure:
 
-```markdown
+````markdown
 # [Descriptive Title]
 
 **Date**: YYYY-MM-DD (e.g., November 19, 2025)
@@ -83,7 +83,7 @@ command here
 
 ## Related Documentation
 
-- [Link Title](URL)
+* [Link Title](URL)
 
 ## Follow-up Issues
 
@@ -96,7 +96,8 @@ command here
 
 1. [Key takeaway with brief explanation]
 2. [Another key takeaway]
-```
+
+````
 
 * Populate the chatlog with details from the current conversation context
 * Follow markdown linting rules strictly:
@@ -165,6 +166,7 @@ Ready to continue. What would you like to work on?
 ### Initial Response (mode=create)
 
 Format:
+
 ```text
 ✅ Created chatlog: .copilot-tracking/chatlogs/YYYYMMDD-brief-description-chatlog.md
 
@@ -191,6 +193,7 @@ Use the format specified in Phase 3 above, then proceed with the conversation.
 ### Final Summary (optional, at conversation end)
 
 Format:
+
 ```text
 📋 Chatlog Summary
 
@@ -201,7 +204,8 @@ Format:
 - [Section 2]: [brief description]
 
 **Key Additions**:
-- [Most important new insight/solution]
+* [Most important new insight/solution]
+
 ```
 
 ---

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,54 @@
+name: CodeQL Security Analysis
+
+on:
+  schedule:
+    # Weekly scan: Sundays at 04:00 UTC
+    - cron: '0 4 * * 0'
+  workflow_call:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['python']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended,security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0
+        with:
+          category: "/language:${{ matrix.language }}"
+
+      - name: Add job summary
+        if: always()
+        run: |
+          echo "## CodeQL Security Analysis Complete" >> $GITHUB_STEP_SUMMARY
+          echo "**Language:** ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Queries:** security-extended, security-and-quality" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "📊 View results in the Security tab under Code Scanning" >> $GITHUB_STEP_SUMMARY

.github/workflows/dependency-review.yml

@@ -0,0 +1,33 @@
+name: Dependency Review
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    name: Review Dependencies
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.10.2
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.3.4
+        with:
+          fail-on-severity: moderate
+          comment-summary-in-pr: always