ci(github): add ci workflows

[adcondev]

This pull request introduces a comprehensive security model for the Scale Daemon's dashboard and WebSocket configuration, updates CI/CD workflows for improved dependency handling and build checks, and enhances developer experience with new templates and documentation. The most important changes are grouped below by theme:

Security Model & WebSocket Authorization:

• Added a layered security model for dashboard and WebSocket configuration, including session-based dashboard access, per-message config token for WebSocket config changes, rate limiting, brute force protection, and audit logging. Detailed documentation is now present in README.md.
• The WebSocket config schema (scale_websocket.schema.json) now requires an authToken for config changes and defines error responses for invalid tokens and rate limiting. [1] [2]
• The dashboard HTML template (index.html) injects the WebSocket auth token as a meta tag for use by authenticated sessions.
• The dashboard JavaScript (websocket.js) now includes the auth token in config messages and handles new error responses from the server, displaying user-friendly error messages. [1] [2]

Authentication UI:

• Introduced a new login page (login.html) with error and lockout feedback, supporting the new authentication flow.

CI/CD Workflow Improvements:

• CI workflows now check out the poster library as a local dependency, patch go.mod to use the local version, and handle cleaning and building accordingly. A new build job is added to produce and summarize Windows binaries. [1] [2] [3] [4]
• The CI is optimized to ignore documentation changes and cancel in-progress runs for the same branch.
• CodeQL static analysis is now configured via a new .github/codeql-config.yml file and referenced in the workflow. [1] [2] [3]

Developer Experience:

• Added a new pull request template to standardize PR descriptions, testing, and checklists.
• Improved the PR automation workflow to avoid commenting on PRs opened by the repository owner.

Miscellaneous:

• Updated Go module dependencies, including bumping golang.org/x/sys and adding golang.org/x/crypto.
• Minor schema and example updates in scale_websocket.schema.json and legacy HTML docs. [1] [2]

[github-actions]

⚡ Benchmark Results

⚠️ No benchmarks found in the current codebase.

To add benchmarks, create functions starting with Benchmark in *_test.go files.

To fix the problem in general, the session cookie must be created with the Secure field set to true, ensuring the browser only sends it over HTTPS. Any related cookie operations (such as clearing the cookie) should use the same security attributes to avoid inconsistent behavior.

The best fix here, without changing existing functionality, is:

• In SetSessionCookie, add Secure: true, to the http.Cookie literal so the session cookie is HTTPS‑only.
• In ClearSessionCookie, also add Secure: true, so the deletion cookie matches the original cookie’s attributes (name, path, Secure, SameSite, HttpOnly, etc.), ensuring browsers properly remove it.

No new imports or helper methods are needed. All changes are within internal/auth/auth.go, in the SetSessionCookie and ClearSessionCookie functions around lines 155–179.

In general, the fix is to explicitly set the Secure attribute to true on all session cookies so they are only transmitted over HTTPS. This should be done both when creating the session cookie and when clearing it (the deletion cookie should match the original attributes, including Secure, so that it correctly overwrites the existing cookie in browsers).

Concretely, in internal/auth/auth.go:

• In SetSessionCookie, update the http.Cookie literal passed to http.SetCookie to include Secure: true, alongside HttpOnly and SameSite.
• In ClearSessionCookie, also update the http.Cookie literal to include Secure: true, so the clearing cookie has the same security attributes as the one that was set.

No new methods or imports are required; Secure is an existing field on http.Cookie from the standard library.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 0% with 238 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/auth/auth.go	0.00%	105 Missing ⚠️
internal/server/server.go	0.00%	100 Missing ⚠️
internal/server/rate_limit.go	0.00%	17 Missing ⚠️
internal/server/broadcaster.go	0.00%	8 Missing ⚠️
internal/daemon/daemon.go	0.00%	5 Missing ⚠️
internal/config/config.go	0.00%	2 Missing ⚠️
internal/logging/logging.go	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!