chore(ci): add Dependabot config and workflow permissions

[igerber]

Summary

• Add .github/dependabot.yml covering pip (root), cargo (rust/), and GitHub Actions ecosystems on a weekly schedule. Minor/patch bumps group into one PR per ecosystem; majors stay individual.
• Declare workflow-scoped permissions: contents: read on ci-gate.yml, notebooks.yml, and rust-test.yml. These workflows previously inherited the repo default (currently read), which is safe today but would silently widen if the default ever flipped.
• publish.yml and ai_pr_review.yml already declare per-job permissions: and are unchanged.

Methodology references (required if estimator / math changes)

• N/A — CI configuration only, no estimator or math changes.

Validation

• All four YAML files parse cleanly via yaml.safe_load.
• No code paths touched; no test runs required.

Security / privacy

• No secrets/PII in this PR.

[github-actions]

Overall Assessment

✅ Looks good — no unmitigated P0/P1 findings. I found one P3 least-privilege hardening nit in ci-gate.yml.

Executive Summary

• Diff scope is CI/dependency automation only (.github/dependabot.yml, .github/workflows/*.yml); no estimator, weighting, variance/SE, identification, or default-behavior code changed, so no methodology contract is affected.
• .github/dependabot.yml:L1-L46 uses valid Dependabot structure and semantics: required keys are present, / is the correct directory for GitHub Actions scanning, weekly day: monday is valid, and groups.update-types: [minor, patch] leaves majors unmatched and therefore individual. (docs.github.com)
• Adding explicit workflow-level permissions is a net hardening change because explicit scopes override repo defaults and unspecified scopes become none; notebooks.yml and rust-test.yml both use actions/checkout, which recommends contents: read. (docs.github.com)
• I parsed all four YAML files locally with yaml.safe_load; residual risk is limited to GitHub-hosted runtime behavior that cannot be exercised here.

Methodology

• No findings. I checked docs/methodology/REGISTRY.md:L1-L40 for scope, and the diff only touches .github configuration: .github/dependabot.yml:L1-L46, .github/workflows/ci-gate.yml:L1-L23, .github/workflows/notebooks.yml:L1-L70, and .github/workflows/rust-test.yml:L1-L193.

Code Quality

• No findings. The YAML changes are small, readable, and parsed cleanly locally.

Performance

• No findings introduced by this PR.

Maintainability

• No findings. The Dependabot groups are explicit, and the new workflow permissions remove reliance on repository-default token behavior. (docs.github.com)

Tech Debt

• No new findings. The existing low-priority label/unlabel retrigger issue for notebooks.yml and rust-test.yml remains tracked in TODO.md:L119 and is unchanged by this PR.

Security

• P3 — Impact: .github/workflows/ci-gate.yml:L8-L9 still grants repository read access even though the only job logic at .github/workflows/ci-gate.yml:L16-L23 reads event metadata and prints an error. Concrete fix: change that workflow to permissions: {}; keep contents: read in notebooks.yml and rust-test.yml because those workflows use actions/checkout. (docs.github.com)

Documentation/Tests

• No findings. No methodology or user-facing docs are needed for a CI-only change; local YAML parse validation is appropriate for scope, though full workflow execution would still need GitHub Actions.

[igerber]

/ai-review

[github-actions]

🔁 AI review rerun (requested by @igerber)

Head SHA: 5404b12777caa5fd9811485db9a1a59b414bdf7b

---

Overall Assessment
✅ Looks good - no unmitigated P0/P1 findings.

Executive Summary

• Scope is CI/dependency automation only: .github/dependabot.yml:L1-L46, .github/workflows/ci-gate.yml:L1-L22, .github/workflows/notebooks.yml:L1-L70, and .github/workflows/rust-test.yml:L1-L193. No estimator, weighting, variance/SE, identification, or default-behavior code changed.
• Re-review note: the prior least-privilege P3 on ci-gate is resolved. ci-gate now uses permissions: {} at .github/workflows/ci-gate.yml:L8-L22, which disables all GITHUB_TOKEN scopes; GitHub also documents that once any permission is specified, all unspecified scopes become none. (docs.github.com)
• notebooks.yml and rust-test.yml now pin GITHUB_TOKEN to contents: read at .github/workflows/notebooks.yml:L23-L70 and .github/workflows/rust-test.yml:L22-L193, matching the actions/checkout recommended permission set. (github.com)
• .github/dependabot.yml:L1-L46 matches current Dependabot docs: the required keys are present, directory: "/" is the documented setting for github-actions, and grouping only minor/patch updates leaves major bumps as individual PRs. The repo's Python manifest is a PEP 621 pyproject.toml at pyproject.toml:L1-L60, which the pip ecosystem supports, and the Rust manifest exists at rust/Cargo.toml:L1-L43. (docs.github.com)
• All four changed YAML files parsed successfully in local yaml.safe_load validation.
• The existing label/unlabel retrigger inefficiency remains tracked in TODO.md:L119-L119 and is unchanged by this PR.

Methodology

• No findings. Severity: none. Impact: docs/methodology/REGISTRY.md:L1-L30 covers estimator methodology, but this diff only changes .github automation files, so no methods are affected. Concrete fix: none.

Code Quality

• No findings. Severity: none. Impact: the changed YAML is small, readable, and parsed cleanly in local validation. Concrete fix: none.

Performance

• Severity: P3 informational. Impact: the low-priority re-trigger-on-unrelated-label-events behavior for .github/workflows/notebooks.yml and .github/workflows/rust-test.yml remains tracked in TODO.md:L119-L119; this PR neither fixes nor worsens it. Concrete fix: none for this PR.

Maintainability

• No findings. Severity: none. Impact: declaring workflow permissions inline makes token scope explicit instead of depending on repository defaults, which is easier to audit over time. .github/workflows/ci-gate.yml:L8-L22, .github/workflows/notebooks.yml:L23-L70, .github/workflows/rust-test.yml:L22-L193. (docs.github.com) Concrete fix: none.

Tech Debt

• Severity: P3 informational. Impact: no new technical debt is introduced; the only related open item in scope is already tracked in TODO.md:L119-L119. Concrete fix: none.

Security

• No findings. Severity: none. Impact: no security regression identified. ci-gate no longer receives a token it does not use, and the checkout-based workflows request only contents: read, which is the documented least-privilege baseline for actions/checkout. .github/workflows/ci-gate.yml:L8-L22, .github/workflows/notebooks.yml:L23-L70, .github/workflows/rust-test.yml:L22-L193. (docs.github.com) Concrete fix: none.

Documentation/Tests

• No findings. Severity: none. Impact: no methodology docs or estimator tests are required for a CI-only change; static YAML validation is appropriate for this scope, with the normal caveat that GitHub-hosted runtime behavior was not executed in this local review. Concrete fix: none.