This issue tracks the rollout of application security in CI, including:

• Dependabot Alerts
• Dependabot Security updates
• Dependabot Version updates
• CodeQL
• secret scanning and push protection
• private vulnerability reporting
• dependency review
• OpenSSF scorecard and best practices (badges in README)
• release artifact signing
• release SBOMs
• coverage (badge in README)
• code linters