feat: add lychee link check workflow and fix make security

[Copilot]

Summary

Adds a GitHub Actions workflow that validates hyperlinks in README.md using lychee, catching broken links on relevant changes and weekly. Also fixes make security which was failing due to an unpatched CVE in a transitive dependency.

Changes

• Added .github/workflows/rhiza_link_check.yml:
  • Triggers on push/PR when README.md changes, weekly Monday 08:00 UTC schedule, and workflow_dispatch
  • Uses lycheeverse/lychee-action@v2 with --accept 200,206,429, --exclude-mail, --verbose, fail: true
• Overrode security target in Makefile to add --ignore-vuln CVE-2026-4539 to pip-audit:
  • pygments 2.19.2 has CVE-2026-4539 (ReDoS) with no fix available on PyPI yet
  • Override keeps full pip-audit + bandit behaviour, only ignoring the unfixable CVE

Testing

• make test passes locally
• make fmt has been run
• New tests added (or explain why not needed) — workflow-only change; validated via actionlint and check-jsonschema pre-commit hooks (both passed). make security now passes cleanly.

Checklist

• Commit messages follow the Conventional Commits format
• Documentation updated if behaviour changed
• make deptry passes (no unused or missing dependencies)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Make a simple link check</issue_title>
<issue_description>in rhiza_link_check.yml:

name: Link Check
--
 
on:
push:
branches: [main]
paths: [README.md]
pull_request:
paths: [README.md]
schedule:
- cron: "0 8 * * 1"   # every Monday 08:00 UTC
workflow_dispatch:
 
jobs:
link-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
 
- name: Check links in README.md
uses: lycheeverse/lychee-action@v2
with:
args: >-
--verbose
--no-progress
--accept 200,206,429
--exclude-mail
README.md
fail: true

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Make a simple link check #905

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[tschm]

@copilot fix make security

[Copilot]

@copilot fix make security

Fixed in commit 7378aad. pygments 2.19.2 has CVE-2026-4539 (ReDoS) with no fix available on PyPI yet, so I overrode the security target in Makefile to pass --ignore-vuln CVE-2026-4539 to pip-audit. make security now passes cleanly.

[tschm]

@HarryCampion little security problems with pygments

[HarryCampion]

@HarryCampion little security problems with pygments

Shall we make a note of it in SECURITY.md?

[tschm]

@HarryCampion There is some activity going on in the pygments repo. I assume this will be sorted in a few days. For now we just explicitly correct "make security" not falling over with that problem