ci: add GitHub AI handoff checks

[lwnmengjing]

Summary

• add organization Copilot instructions for GitHub-native AI handoff boundaries
• add Dependabot, CodeQL, and OpenSSF Scorecard checks for the organization .github repository
• record durable AIGC memory for GitHub AI delegation and external settings boundaries

Tests

• go run github.com/rhysd/actionlint/cmd/actionlint@latest
• ruby -e 'require "yaml"; YAML.load_file(".github/dependabot.yml")'\n- git diff --check\n\n## Docs\n- Adds organization-local AIGC memory under aigc/prompts/.\n\n## Security\n- Adds CodeQL, Scorecard, and Dependabot self-checks for organization workflow/template files.\n- Does not add secrets or external credentials.\n\n## Release / compatibility / rollback\n- No runtime release impact.\n- Rollback is reverting this PR if a new organization workflow is too noisy.\n\n## Notes\n- This does not enable paid/org-level Copilot settings by itself. Branch rulesets, required checks, Copilot automatic review, and private vulnerability reporting still need maintainer-side GitHub settings review.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[Copilot]

Pull request overview

Adds organization-wide GitHub-native AI handoff/governance guidance and introduces baseline supply-chain/security automation for the org .github repository (Dependabot + CodeQL + OpenSSF Scorecard), plus a durable AIGC handoff record.

Changes:

• Add .github/copilot-instructions.md to define Copilot/automation boundaries and governance expectations.
• Add Dependabot, CodeQL, and OpenSSF Scorecard workflows/config to extend security and supply-chain checks to org-level assets.
• Add a durable Chinese AIGC handoff prompt record under aigc/prompts/.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
aigc/prompts/github-ai-handoff-2026-06-05.zh-CN.md	Adds a durable AI handoff memo (zh-CN) documenting governance/automation boundaries.
.github/workflows/scorecard.yml	Adds OpenSSF Scorecard scanning and SARIF upload to GitHub code scanning.
.github/workflows/codeql.yml	Adds CodeQL analysis workflow for GitHub Actions content.
.github/dependabot.yml	Enables weekly GitHub Actions dependency update PRs with grouping/labels.
.github/copilot-instructions.md	Establishes organization-wide Copilot and automation operating guidelines for this repo.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.