chore(eddy): modernization sweep — CI, attestations, governance, BibTeX

[heznpc]

Summary

Repo-modernization sweep covering everything outside the prior README/positioning pass. No P0 findings; this PR clears the P1 list and the P2 items the user opted to apply now.

CI / supply chain

• Bump and SHA-pin all GitHub Actions:
  • `actions/checkout` v4 → v6.0.2 (`de0fac2e`)
  • `actions/upload-artifact` v4 → v7.0.1 (`043fb46d`)
  • `xu-cheng/latex-action` v3 → v4.1.0 (`6549dc21`)
• Workflow default `permissions: contents: read`; job-level opt-in to `contents: write` (commit step), `attestations: write` + `id-token: write` (SLSA).
• New: SLSA build provenance attached to `paper/main.pdf` on push-to-main via `actions/attest-build-provenance@v4.1.0` (`a2bbfa25`).
• Workflow also runs on `pull_request` (paths-filtered) so PRs surface build failures.

Security

• `.github/workflows/gitleaks.yml` — push / PR / weekly cron. Defense-in-depth over GitHub-native push protection.
• `SECURITY.md` — scope, contact (heznpc@gmail.com), 7-day ack / 30-day disposition window, coordinated-disclosure preference.

Governance / discoverability

• `.github/dependabot.yml` — github-actions ecosystem, weekly, minor+patch grouped.
• `.zenodo.json` — metadata for the existing DOI 10.5281/zenodo.19074337 (keywords, communities, related_identifiers).
• `CITATION.cff` — enables GitHub's "Cite this repository" UI; preferred-citation block points at the Zenodo DOI.
• README: build-pdf CI status badge.

Manuscript maintainability

• Inline `\begin{thebibliography}{37}` (37 entries, ~190 lines) → `paper/main.bib` (BibTeX) + `\bibliographystyle{ACM-Reference-Format}` + `\bibliography{main}`. CI `latexmk` runs the bibtex pass automatically; no workflow change required.

Out of scope (deferred per user decision)

• `acmart.cls` version pin (conflicts with current .gitignore policy — separate decision).
• `experiments/` Makefile scaffold (defer until pilot code exists).

Out of scope (logged decisions retained)

• `paper/main.pdf` auto-commit-by-CI (planning/decisions.md 2026-04-19).

Test plan

• CI builds the PDF with the new BibTeX pipeline and the bibliography renders in ACM-Reference-Format
• `paper/main.pdf` artifact is uploaded
• Build provenance attestation appears under repo Attestations
• gitleaks workflow runs on this PR and reports no findings
• After merge: apply branch protection (`build` required check) via `gh api`