Context
Following #11/#12/#13 (org workflow templates + reusables now on `.github/main`), roll out the two zero-config additions to every FerrLabs repo:
- `security-scan.yml` — calls the shared reusable (gitleaks + osv-scanner + trufflehog on schedule). SARIF uploaded to Security → Code scanning.
- `pr-title.yml` — Conventional Commits validation on PR titles (mandatory because we squash-merge and the title becomes the commit message on `main`).
Scope
Pure additions — no existing CI files touched, no removals, no restructuring. Zero regression risk.
Repos
Out of scope (deliberate)
- CodeQL / Scorecard rollout — already partial on some repos, requires per-repo language matrix decisions
- Migrating existing audit/security workflows (each is bespoke, low value to consolidate today)
- Touching `docker.yml` workflows to call `reusable-docker-build` — needs per-repo validation that the reusable matches their build pattern
Context
Following #11/#12/#13 (org workflow templates + reusables now on `.github/main`), roll out the two zero-config additions to every FerrLabs repo:
Scope
Pure additions — no existing CI files touched, no removals, no restructuring. Zero regression risk.
Repos
Out of scope (deliberate)