ci: add security scanning workflow templates

Templates for repos to enable language-specific security scanning:
- security-php.yml: PHPStan + Semgrep SAST
- security-shell.yml: ShellCheck for bash scripts
- security-docker.yml: Hadolint for Dockerfiles

CodeQL default setup now enabled across all public repos for:
- Go, JavaScript/TypeScript (core, core-gui, build)
- JavaScript/TypeScript (core-admin, core-api, core-mcp, etc.)
- Actions workflow scanning (core-php, core-tenant, etc.)
- Python (ansible-*, docker-server-blockchain)
- C# (btcpayserver-docker)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.github/workflow-templates/security-docker.yml

@@ -0,0 +1,23 @@
+name: Dockerfile Lint
+
+on:
+  push:
+    branches: [dev, main]
+    paths: ['**/Dockerfile*', '**.dockerfile']
+  pull_request:
+    branches: [dev, main]
+    paths: ['**/Dockerfile*', '**.dockerfile']
+  workflow_dispatch:
+
+jobs:
+  hadolint:
+    name: Hadolint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Run Hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          recursive: true
+          failure-threshold: warning

.github/workflow-templates/security-php.yml

@@ -0,0 +1,50 @@
+name: PHP Security
+
+on:
+  push:
+    branches: [dev, main]
+  pull_request:
+    branches: [dev, main]
+  schedule:
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  phpstan:
+    name: PHPStan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.3'
+          coverage: none
+          
+      - name: Install dependencies
+        run: composer install --no-interaction --prefer-dist
+        
+      - name: Run PHPStan
+        run: vendor/bin/phpstan analyse --error-format=github || true
+
+  semgrep:
+    name: Semgrep SAST
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Run Semgrep
+        run: semgrep scan --config auto --sarif --output results.sarif || true
+        
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+        if: always()

.github/workflow-templates/security-shell.yml

@@ -0,0 +1,24 @@
+name: Shell Lint
+
+on:
+  push:
+    branches: [dev, main]
+    paths: ['**.sh', '**.bash', 'scripts/**']
+  pull_request:
+    branches: [dev, main]
+    paths: ['**.sh', '**.bash', 'scripts/**']
+  workflow_dispatch:
+
+jobs:
+  shellcheck:
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@master
+        with:
+          severity: warning
+          scandir: '.'
+          format: gcc