feat(security): add OpenSSF Scorecard workflow and maximize score (#498)

* feat(security): add OpenSSF Scorecard workflow and maximize score

- Add scorecard.yml workflow (weekly + push to main) with SARIF upload
- Add CONTRIBUTING.md for contributor guidelines
- Add SLSA provenance attestation job to release workflow
- Add CycloneDX SBOM generation job to release workflow
- Pin Dockerfile base images to sha256 digests
- Enable Renovate pinDigests and platformAutomerge
- Add OpenSSF Scorecard badge to README

* fix(docs): address PR #498 review comments and remove .coderabbit.yaml

- Delete .coderabbit.yaml (falls back to shared org-level config)
- Add missing linter deps to CONTRIBUTING.md install step
- Separate make all and make test into distinct steps
- Fix line length note to match EditorConfig (200 chars, no MD override)
- Add yamllint/markdownlint to YAML/JSON/Markdown linter list
- Refine action references guidance
- Expand "Adding a New Action" section with action-docs and catalog info

.github/renovate.json

@@ -4,6 +4,8 @@
     "github>ivuorinen/renovate-config",
     "customManagers:biomeVersions"
   ],
+  "pinDigests": true,
+  "platformAutomerge": true,
   "packageRules": [
     {
       "matchUpdateTypes": [