Fix stalled daily release Dependabot alert collection

[thinksyncs]

Summary

• prevent Daily Release from failing when GITHUB_TOKEN cannot read Dependabot alerts
• support optional DEPENDABOT_ALERTS_TOKEN for full Dependabot alert reporting
• include a status asset and release-note status when alert collection is unavailable
• reduce scheduled CI cost by moving daily scheduled workflows and Dependabot version updates to weekly cadence
• keep PR/push quality gates, while limiting scheduled Build to ubuntu-latest instead of the full Ubuntu/macOS/Windows matrix
• detect .env-style secret-bearing files by filename during workspace safety assessment
• separate .env template files such as .env.example and .env.sample from secret-bearing files
• surface env scan truncation so users can tell when detection was incomplete
• confirm broad git operations and block publish operations when secret-bearing files or incomplete env scans are present
• add fixture-backed coverage for real .env file layouts, ignored directories, templates, and scan limits

Verification

• actionlint .github/workflows/build.yml .github/workflows/codeql.yml .github/workflows/daily-release.yml .github/workflows/dependency-maintenance.yml .github/workflows/security.yml
• ruby -e "require 'yaml'; Dir['.github/workflows/*.yml'].each { |f| YAML.load_file(f) }; YAML.load_file('.github/dependabot.yml'); puts 'yaml ok'"
• npm test
• npm run build

[Copilot]

Pull request overview

Updates the Daily Release GitHub Actions workflow to avoid failing when Dependabot alerts can’t be fetched with the default token, while still supporting full reporting when an explicit Dependabot token is provided.

Changes:

• Make Dependabot alert collection optional via DEPENDABOT_ALERTS_TOKEN, and gracefully fall back to empty alerts + warning/status output when unavailable.
• Add a dependabot-alerts-status.txt artifact and include status messaging in generated daily release notes.
• Upload the Dependabot status file as part of the daily release assets.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/daily-release.yml	Adds optional Dependabot token handling, records availability status, and includes status in notes/assets to prevent workflow failure.
.beads/issues.jsonl	Records the task closure entry for fixing the stalled daily release automation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.