Added GitHub security automation

- Added a public SECURITY.md with a private reporting workflow
- Added CodeQL and dependency review workflows for main and pull requests
- Added a pinned docs requirements manifest so dependency graph tooling has a supported dependency source

Author: byteshiftlabs

.github/workflows/codeql.yml

@@ -0,0 +1,53 @@
+name: Code Scanning
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '17 4 * * 1'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: CodeQL (${{ matrix.language }})
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - actions
+          - cpp
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Install RISC-V cross toolchain
+        if: matrix.language == 'cpp'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcc-riscv64-unknown-elf binutils-riscv64-unknown-elf
+
+      - name: Build kernel for analysis
+        if: matrix.language == 'cpp'
+        run: |
+          make clean
+          make -j2
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3

.github/workflows/dependency-review.yml

@@ -0,0 +1,18 @@
+name: Dependency Review
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4

SECURITY.md

@@ -0,0 +1,30 @@
+# Security Policy
+
+## Supported Versions
+
+ThunderOS is currently maintained on the default branch and the latest release line.
+
+| Version | Supported |
+|---------|-----------|
+| `main` | Yes |
+| Latest `v0.9.x` release | Yes |
+| Older tags and unmaintained branches | No |
+
+## Reporting a Vulnerability
+
+Use GitHub private vulnerability reporting for ThunderOS.
+
+1. Open the repository security page.
+2. Choose `Report a vulnerability`.
+3. Include the affected commit, subsystem, reproduction steps, and impact.
+4. Do not open a public issue for security-sensitive bugs.
+
+If the bug is not security-sensitive, use the normal issue tracker instead.
+
+## What To Expect
+
+- An acknowledgment within 5 business days.
+- A follow-up status update after triage.
+- Coordinated disclosure after a fix is available.
+
+Reports that include a clear reproduction path, affected configuration, and expected impact are much easier to triage quickly.

docs/README.md

@@ -71,10 +71,10 @@ The `riscv/` directory contains practical reference material for RISC-V architec
 
 ### Prerequisites
 
-Install Sphinx and the RTD theme:
+Install the pinned documentation dependencies:
 
 ```bash
-pip install sphinx sphinx_rtd_theme
+pip install -r requirements.txt
 ```
 
 ### Build HTML Documentation

docs/requirements.txt

@@ -0,0 +1,3 @@
+Sphinx==8.1.3
+sphinx-rtd-theme==3.0.2
+Pygments==2.19.2