feat(security-identity): add security review gate via CODEOWNERS, PR template, and label

[WilliamBerryiii]

IMPORTANT: Before submitting, please remove all sensitive data, secrets, tokens, or confidential information. Ensure you've redacted any NDA-covered information, IP addresses, resource names, or security-related details that shouldn't be publicly disclosed.

Description

Established a security review gate for PRs touching security-sensitive paths in the repository. Three security-sensitive paths were registered in CODEOWNERS with @microsoft/edge-ai-core-dev as required reviewer. A new Security Review checklist section was added to the PR template with five security-focused checks. A security-reviewed label was created to mark PRs that have completed security review.

This change leverages GitHub's native CODEOWNERS mechanism to enforce review requirements at the repository level rather than relying on external tooling or manual processes.

• Added CODEOWNERS entries for /SECURITY.md, /src/000-cloud/010-security-identity/, and /deploy/ with a comment header documenting the label requirement
• Added a Security Review section to the PR template with an HTML comment listing the covered paths and five checklist items covering credentials, RBAC, network exposure, dependencies, and container images
• Replaced the stale MegaLinter reference (mega-linter-runner) with a tool-agnostic "lint checks pass" checklist item
• Created the security-reviewed GitHub label with color #0E8A16 for PRs touching security-sensitive paths

Related Issue

Fixes #171

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Blueprint modification or addition
• Component modification or addition
• Documentation update
• CI/CD pipeline change
• Other (please describe):

Implementation Details

The security review gate uses a three-part approach:

1. CODEOWNERS — Three path entries under a new "Security-sensitive paths" comment section trigger automatic review requests from @microsoft/edge-ai-core-dev when PRs modify /SECURITY.md, /src/000-cloud/010-security-identity/, or /deploy/.
2. PR Template — A Security Review section with an HTML comment documenting the covered paths sits between the existing Checklist and Additional Notes sections. Five checklist items cover common security concerns: credential exposure, RBAC least-privilege, network exposure, dependency vulnerabilities, and container image pinning.
3. GitHub Label — A security-reviewed label signals that a PR touching security-sensitive code has been reviewed and approved from a security perspective.

The stale MegaLinter checklist item was replaced with a generic lint check item since the repository no longer uses MegaLinter.

Testing Performed

• Terraform plan/apply
• Blueprint deployment test
• Unit tests
• Integration tests
• Bug fix includes regression test (see Test Policy)
• Manual validation
• Other:

Manual validation performed:

• Verified CODEOWNERS has no duplicate /deploy/ entry and all paths have correct leading /
• Verified PR template Security Review section is correctly positioned between Checklist and Additional Notes
• Verified security-reviewed label exists in microsoft/edge-ai via gh label list
• Ran markdownlint on PULL_REQUEST_TEMPLATE.md — passed with zero errors

Validation Steps

1. Open .github/CODEOWNERS and confirm three new entries exist under the "Security-sensitive paths" comment for /SECURITY.md, /src/000-cloud/010-security-identity/, and /deploy/
2. Open .github/PULL_REQUEST_TEMPLATE.md and confirm the Security Review section appears between Checklist and Additional Notes
3. Verify the five security checklist items are present: credentials, RBAC, network exposure, dependencies, container images
4. Verify the MegaLinter reference has been replaced with "Lint checks pass"
5. Run gh label list --search security-reviewed to confirm the label exists

Checklist

• I have updated the documentation accordingly
• I have added tests to cover my changes
• All new and existing tests passed
• I have run terraform fmt on all Terraform code
• I have run terraform validate on all Terraform code
• I have run az bicep format on all Bicep code
• I have run az bicep build to validate all Bicep code
• I have checked for any sensitive data/tokens that should not be committed
• Lint checks pass (run applicable linters for changed file types)

Security Review

• No credentials, secrets, or tokens are hardcoded or logged
• RBAC and identity changes follow least-privilege principles
• No new network exposure or public endpoints introduced without justification
• Dependency additions or updates have been reviewed for known vulnerabilities
• Container image changes use pinned digests or SHA references

Additional Notes

Follow-up Tasks

• Add a workflow-enforced label gate that blocks merge when security-reviewed is missing on PRs touching the designated paths
• Complete consumer verification documentation (Issue docs(security): create docs/security/ consumer verification documentation #262)

Screenshots (if applicable)

N/A — configuration-only changes with no visual components.