[Fix] CI: consolidate required checks into _required.yml so they report

[mvillmow]

Problem

Every open PR on main was stuck mergeStateStatus=BLOCKED with auto-merge armed and all present checks green — but never merged. 13 PRs piled up un-mergeable.

The org ruleset homeric-main-baseline requires 8 status-check contexts, but 5 of them never reported because the jobs lived in separate workflows under non-matching names:

Required context	Was emitted as
lint	(none — split across markdownlint, pre-commit, …)
unit-tests	test (unit, tests/unit)
integration-tests	test (integration, tests/integration)
security/dependency-scan	Dependency vulnerability scan
security/secrets-scan	Secrets scan (gitleaks)

GitHub held PRs BLOCKED waiting for contexts that never appeared.

Fix

Consolidate the 5 missing jobs into _required.yml under their canonical names — one workflow, one concurrency group — matching the healthy-repo pattern in ProjectHephaestus.

• _required.yml: add lint, unit-tests, integration-tests, security/dependency-scan, security/secrets-scan. The old test.yml matrix is split into two discrete jobs so the emitted names are unit-tests / integration-tests.
• Delete test.yml and pre-commit.yml (bodies moved into _required.yml).
• Trim security.yml to a schedule-only weekly sweep (no pull_request/push/workflow_call trigger) so it can't emit competing PR contexts.
• The concurrency.group now includes ${{ github.workflow }} so it can't collide with another workflow's group — the bug that broke the earlier workflow_call bridge.

Verification

• All 8 required contexts are now emitted by _required.yml (confirmed by parsing the YAML and diffing against the ruleset).
• Every workflow passes the github-workflow JSON schema (check-jsonschema — the schema-validation job) locally: ok -- validation done.
• forbid-suppressions guard: no || true / continue-on-error: true introduced.

Closes #2016