chore(github): enable free-tier features — dependabot, CODEOWNERS, issue form, SECURITY, CITATION, dynamic badge

[prat96]

Enables the low-effort GitHub features from the repo audit, plus the workflow change needed to make a required status check safe. All free for public repos; pure config/CI/docs — no firmware or build-behavior changes, nothing runs at or above the DAP path.

What's in here

File	Feature	Why
.github/dependabot.yml	Dependabot version updates	Security updates were already on, but no version-bump PRs. Scoped to the only two manifest-managed ecosystems — github-actions and pip (requirements.txt). C upstream stays git-pinned via setup.sh, intentionally excluded.
.github/CODEOWNERS	Code-owner review	The ruleset's require_code_owner_review was a silent no-op with no file. Names the two analyze.sh-pristine files. @prat96.
.github/ISSUE_TEMPLATE/bug_report.yml + config.yml	Repo-specific issue form	Requires the {"q":"status"} line (firmware ver) and prompts for {"q":"lastfault"}. Routes questions → Discussions, security → private advisories.
SECURITY.md	Security policy	Adds the policy + trust model (physical/USB access trusted) so reports target the real surface.
CITATION.cff	"Cite this repository" widget	Near-zero-effort OSS maturity signal.
README.md	Dynamic release badge	Was hardcoded v1.0 while v1.1 shipped; now img.shields.io/github/v/release.
.github/workflows/host-tests.yml	Required-check safety	Drop the pull_request paths filter so Portable logic (no hardware) reports on every PR — a path-filtered required check leaves PRs blocked on a forever-pending "Expected" status. Hosted + uploads nothing, so docs-only PRs cost nothing.
.github/workflows/firmware-c.yml	Artifact retention cap	retention-days: 7 on the build artifact (was defaulting to 90); on publish the binaries also go to the free permanent Release.

Done alongside this PR (applied directly)

• ✅ Required status check — Portable logic (no hardware) added to the default ruleset (non-strict, do_not_enforce_on_create). The host-tests.yml change above is what makes it safe.
• ✅ Labels — dropped stray new project!; added dap / dashboard / sd / cdc1 / gate.
• ✅ Homepage — set to https://github.com/GhostRoboticsLab.
• ⏳ Social-preview image — UI-only (Settings → General → Social preview), pending an image.

Notes

• pyserial==3.5 is exact-pinned for HIL USB-CDC stability — review any Dependabot bump against the macOS bench gotchas before merging.
• Replace @prat96 in CODEOWNERS with an org team if preferred.
• Merge requires a review (ruleset) — use the admin bypass to self-merge, or have a second maintainer approve.