Add build provenance attestation to the release workflow using actions/attest-build-provenance with OIDC keyless signing. Document release signature verification in SECURITY.md.
- Rewrite GOVERNANCE.md with expanded structure: goals, scope, project values, detailed roles, decision-making process, merge expectations, maintainer lifecycle, and continuity sections. - Add CODE_OF_CONDUCT.md covering expected behavior, unacceptable behavior, scope, reporting, and enforcement. - Remove fictitious email address from SECURITY.md, keeping only GitHub Private Vulnerability Reporting as the reporting channel.
Add security policy covering vulnerability reporting channels (GitHub Private Vulnerability Reporting + email), response timeline, and scope definition to meet OpenSSF Best Practices Reporting criteria.