feat(security): enable free CodeQL default-setup on every public org repo

[JacobPEvans-personal]

Summary

Adds scripts/enable-codeql-default-setup.sh — an idempotent helper that turns on free CodeQL default-setup on every public org repo with a supported language. README updated to list it under "What it manages today" and note the provider gap that keeps it script-managed for now.

Why a script and not a Terraform resource

integrations/terraform-provider-github does not expose a resource for PUT /repos/{owner}/{repo}/code-scanning/default-setup. Closest options:

• github_repository.security_and_analysis.code_security — requires GHAS (paid). Wrong knob.
• required_code_scanning ruleset rule — gates merges on existing scans; doesn't enable scanning. Wrong knob.
• github_enterprise_security_analysis_settings — Enterprise plan only.

So pure-Terraform-resource isn't on the table today. The script lives under scripts/ (allowed location per the workspace no-scripts rule's tier-4 fallback) and mirrors the precedent set by .github-tofu/scripts/import.sh. When upstream ships github_repository_code_scanning_default_setup or equivalent, the .tf takes over and this becomes a one-shot.

Cost impact

$0. Verified against AGENTS.md "Cost policy":

• Code scanning is FREE on public repos — no GHAS license consumed.
• GitHub Actions usage by CodeQL runs is FREE / unlimited on public repos.
• Private repos are never targeted: the script enumerates --visibility public --no-archived before the PUT loop, so a private repo name can never reach the call.
• Belt-and-suspenders: org-default GHAS is off per the existing policy, so an accidental PUT against a private repo would 403 anyway — no charge can land.

Idempotent

For each public, non-archived repo, the script:

1. GETs code-scanning/default-setup to read {state, languages}.
2. If state == "configured" → log skip (already on).
3. If languages == [] → log skip (no supported language).
4. Else PUT state=configured.

Re-runs are no-ops on already-configured repos. Final line: enabled: N · already-on: M · skipped-no-lang: K · errors: E.

Test plan

• Inspect scripts/enable-codeql-default-setup.sh — sanity-check the GET / PUT / counter logic.
• After merge, from any main worktree: ./scripts/enable-codeql-default-setup.sh. Expected ~5 enables (e.g. python-template, mlx-benchmarks, raycast-smart-issue, claude-code-best-practice, possibly nixos-ai), ~22 skips on actions-only repos, 0 errors.
• Spot-check gh api repos/dryvist/python-template/code-scanning/default-setup --jq .state → configured.
• Spot-check a private repo (e.g. int_homelab) — confirm it was untouched: gh api repos/dryvist/int_homelab/code-scanning/default-setup --jq .state → not-configured (or 403).
• Re-run the script — every line should say skip, enabled: 0.

🤖 Generated with Claude Code

[JacobPEvans-personal]

Closing — wrong approach. The whole point of this repo is declarative OpenTofu config, not bash scripts. Replacing with pure-IaC approach.