feat: Phase 2 — Workflow automation (11 tasks, 10 new workflows)

New workflows:
- stale.yml: 60-day stale + 14-day close, exempt in-progress/blocked/high/roadmap
- auto-label.yml + labeler.yml: path-based PR labeling (docs, ci, deps)
- pr-size.yml: size/xs through size/xl labels with XL advisory
- codeql.yml: CodeQL with empty language matrix (template no-op)
- dependabot-auto-merge.yml: auto-squash minor/patch Dependabot PRs
- validate-template.yml: meta-CI (YAML, JSON, ShellCheck, SHA-pin check, secrets scan)
- dependency-review.yml: fail on moderate+ severity vulnerabilities
- scan-pr-body.yml: prompt injection detection (commented, opt-in)
- welcome.yml: first-time contributor greeting (commented, opt-in)
- lock-threads.yml: weekly lock of 30-day-old closed threads

Modified:
- ci.yml: Rust section (commented), paths-ignore, multi-OS matrix example
- labels.sh: size/xs-xl labels + deferred label

All actions SHA-pinned. All workflows have explicit permissions + timeout-minutes.

Co-authored-by: Tony Bonk <vbonk@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: vbonk

.github/labeler.yml

@@ -0,0 +1,54 @@
+# Labeler configuration for actions/labeler
+# Maps file path patterns to PR labels.
+# See: https://github.com/actions/labeler
+
+documentation:
+  - changed-files:
+      - any-glob-to-any-file:
+          - '*.md'
+          - 'docs/**'
+
+ci:
+  - changed-files:
+      - any-glob-to-any-file:
+          - '.github/**'
+
+dependencies:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'package.json'
+          - 'package-lock.json'
+          - 'requirements.txt'
+          - 'requirements*.txt'
+          - 'pyproject.toml'
+          - 'go.mod'
+          - 'go.sum'
+          - 'Cargo.toml'
+          - 'Cargo.lock'
+          - 'Gemfile'
+          - 'Gemfile.lock'
+
+# TEMPLATE: Uncomment and adjust for your project structure
+#
+# frontend:
+#   - changed-files:
+#       - any-glob-to-any-file:
+#           - 'src/components/**'
+#           - 'src/pages/**'
+#           - 'src/styles/**'
+#           - '*.css'
+#           - '*.scss'
+#
+# backend:
+#   - changed-files:
+#       - any-glob-to-any-file:
+#           - 'src/api/**'
+#           - 'src/services/**'
+#           - 'src/models/**'
+#
+# tests:
+#   - changed-files:
+#       - any-glob-to-any-file:
+#           - 'tests/**'
+#           - '**/*.test.*'
+#           - '**/*.spec.*'

.github/workflows/auto-label.yml

@@ -0,0 +1,25 @@
+# Auto-Label PRs
+# Automatically labels PRs based on changed file paths.
+# Configure labels in .github/labeler.yml
+
+name: Auto Label
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Label PR based on changed files
+        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          sync-labels: true

.github/workflows/ci.yml

@@ -7,8 +7,10 @@ name: CI
 on:
   push:
     branches: [main]
+    paths-ignore: ['**.md', 'docs/**', 'LICENSE', '.editorconfig']
   pull_request:
     branches: [main]
+    paths-ignore: ['**.md', 'docs/**', 'LICENSE', '.editorconfig']
 
 # Cancel in-progress runs for the same branch
 concurrency:
@@ -82,9 +84,48 @@ jobs:
       # - name: Test
       #   run: go test ./...
 
+      # --- Rust ---
+      # - name: Setup Rust
+      #   uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master
+      #   with:
+      #     toolchain: stable
+      #     components: rustfmt, clippy
+      #
+      # - name: Rust cache
+      #   uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
+      #
+      # - name: Check formatting
+      #   run: cargo fmt --all -- --check
+      #
+      # - name: Clippy
+      #   run: cargo clippy --all-targets --all-features -- -D warnings
+      #
+      # - name: Test
+      #   run: cargo test --all-features
+      #
+      # - name: Build
+      #   run: cargo build --release
+
       # --- Generic (placeholder) ---
       - name: Placeholder
         run: |
           echo "CI workflow running"
           echo "Configure this workflow for your tech stack"
-          echo "See comments above for Node.js, Python, and Go examples"
+          echo "See comments above for Node.js, Python, Go, and Rust examples"
+
+  # ============================================
+  # TEMPLATE: Multi-OS matrix example
+  # Uncomment and replace the 'build' job above to test across OSes.
+  # ============================================
+  # build-matrix:
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       os: [ubuntu-latest, macos-latest, windows-latest]
+  #   runs-on: ${{ matrix.os }}
+  #   timeout-minutes: 15
+  #   steps:
+  #     - name: Checkout
+  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+  #     - name: Build & Test
+  #       run: echo "Running on ${{ matrix.os }}"

.github/workflows/codeql.yml

@@ -0,0 +1,56 @@
+# CodeQL Analysis
+# Runs GitHub's CodeQL security scanner.
+# TEMPLATE: Uncomment languages in the matrix to enable scanning.
+
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 8 * * 1' # Weekly Monday 08:00 UTC
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # TEMPLATE: Uncomment languages used in your project.
+        # Supported: javascript, typescript, python, go, ruby, java, kotlin, csharp, cpp, swift
+        language: []
+        # language:
+        #   - javascript-typescript
+        #   - python
+        #   - go
+        #   - java-kotlin
+        #   - ruby
+        #   - csharp
+        #   - cpp
+        #   - swift
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+        with:
+          category: '/language:${{ matrix.language }}'

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,32 @@
+# Dependabot Auto-Merge
+# Automatically merges minor and patch Dependabot PRs after CI passes.
+# Major version bumps still require human review.
+
+name: Dependabot Auto-Merge
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    if: github.actor == 'dependabot[bot]'
+
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-merge minor and patch updates
+        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/dependency-review.yml

@@ -0,0 +1,28 @@
+# Dependency Review
+# Scans PRs for vulnerable or license-restricted dependencies.
+# Blocks PRs that introduce moderate+ severity vulnerabilities.
+
+name: Dependency Review
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+        with:
+          fail-on-severity: moderate
+          comment-summary-in-pr: always

.github/workflows/lock-threads.yml

@@ -0,0 +1,36 @@
+# Lock Stale Threads
+# Locks issues and PRs that have been closed for 30+ days.
+# Prevents necro-posting on resolved threads.
+
+name: Lock Threads
+
+on:
+  schedule:
+    - cron: '0 7 * * 1' # Weekly Monday 07:00 UTC
+  workflow_dispatch:
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  lock:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Lock closed threads
+        uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          issue-inactive-days: 30
+          pr-inactive-days: 30
+          issue-comment: >
+            This issue has been locked because it has been closed for more than
+            30 days. If you have a related question or issue, please open a new
+            one with a link to this thread for context.
+          pr-comment: >
+            This PR has been locked because it has been closed for more than
+            30 days. If you have a related question or change, please open a new
+            PR with a link to this thread for context.
+          log-output: true

.github/workflows/pr-size.yml

@@ -0,0 +1,43 @@
+# PR Size Labeler
+# Automatically labels PRs by size (lines changed).
+# Encourages smaller, reviewable PRs.
+
+name: PR Size
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  size-label:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Label PR by size
+        uses: codelytv/pr-size-labeler@4ec67706cd878fbc1c8db0a5dcd28b6bb412e85a # v1.10.3
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          xs_label: 'size/xs'
+          xs_max_size: 10
+          s_label: 'size/s'
+          s_max_size: 50
+          m_label: 'size/m'
+          m_max_size: 200
+          l_label: 'size/l'
+          l_max_size: 500
+          xl_label: 'size/xl'
+          fail_if_xl: false
+          message_if_xl: >
+            This PR exceeds 500 lines changed. Consider breaking it into
+            smaller, focused PRs for easier review and safer merges.
+          files_to_ignore: |
+            package-lock.json
+            yarn.lock
+            pnpm-lock.yaml
+            Cargo.lock
+            go.sum