feat(github): enable free GitHub features

- dependabot.yml: automated updates for GitHub Actions and Go modules
- CODEOWNERS: auto-assign reviewers by path
- SECURITY.md: vulnerability reporting policy
- ISSUE_TEMPLATE/: structured bug reports and feature requests
- PULL_REQUEST_TEMPLATE.md: PR checklist

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.github/CODEOWNERS

@@ -0,0 +1,10 @@
+# Default owners for everything
+* @host-uk/core-maintainers
+
+# Scripts and CI
+/scripts/ @host-uk/devops
+/.github/ @host-uk/devops
+
+# Documentation
+*.md @host-uk/docs
+/docs/ @host-uk/docs

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,51 @@
+name: Bug Report
+description: Report a problem with the developer workspace or scripts
+title: "[Bug]: "
+labels: ["bug", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting! Please fill out the details below.
+
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating System
+      options:
+        - macOS
+        - Windows
+        - Linux (Ubuntu/Debian)
+        - Linux (Other)
+    validations:
+      required: true
+
+  - type: input
+    id: script
+    attributes:
+      label: Script/Command
+      description: Which script or command failed?
+      placeholder: "e.g., make setup, install-deps.ps1, core doctor"
+    validations:
+      required: true
+
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      description: Describe the issue
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behaviour
+      description: What should have happened?
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Error output
+      description: Paste any error messages
+      render: shell

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Questions & Discussions
+    url: https://github.com/host-uk/core-devops/discussions
+    about: Ask questions and discuss ideas
+  - name: Security Issues
+    url: https://github.com/host-uk/core-devops/security/policy
+    about: Report security vulnerabilities privately

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,45 @@
+name: Feature Request
+description: Suggest an improvement to the developer workspace
+title: "[Feature]: "
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for the suggestion! Please describe your idea below.
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Area
+      options:
+        - Setup scripts (install-deps, install-core)
+        - Core CLI commands
+        - Documentation
+        - IDE configuration
+        - CI/CD workflows
+        - Other
+    validations:
+      required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem or use case
+      description: What problem does this solve?
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: How would you like it to work?
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Any other approaches you've thought about?

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,25 @@
+## Summary
+
+<!-- Brief description of changes -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Documentation
+- [ ] CI/CD improvement
+- [ ] Other: <!-- describe -->
+
+## Checklist
+
+- [ ] Scripts tested on target OS (macOS/Windows/Linux)
+- [ ] Documentation updated if needed
+- [ ] No secrets or credentials in code
+
+## Testing
+
+<!-- How did you test these changes? -->
+
+## Related issues
+
+<!-- Link any related issues: Fixes #123, Relates to #456 -->

.github/dependabot.yml

@@ -0,0 +1,24 @@
+version: 2
+updates:
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "ci(deps)"
+    labels:
+      - "dependencies"
+      - "github-actions"
+
+  # Go modules (for core CLI when built locally)
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore(deps)"
+    labels:
+      - "dependencies"
+      - "go"
+    open-pull-requests-limit: 5

SECURITY.md

@@ -0,0 +1,32 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| dev     | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them via email to: **security@host.uk.com**
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Any suggested fixes (optional)
+
+You should receive a response within 48 hours. If the issue is confirmed, we will:
+1. Work on a fix privately
+2. Release a patch
+3. Credit you in the release notes (unless you prefer anonymity)
+
+## Security Best Practices
+
+When contributing to this repository:
+- Never commit secrets, API keys, or credentials
+- Use environment variables for sensitive configuration
+- Review dependencies for known vulnerabilities
+- Follow the principle of least privilege in scripts