🔧 add CI workflow checker

[sebastianMindee]

Description

Types of changes

• Docs change / refactoring / dependency upgrade
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Requires a change to the official Guide documentation.

[Copilot]

Pull request overview

This PR introduces an additional CI gate to lint GitHub Actions workflows and makes a few workflow hardening/cleanup adjustments across existing CI/release pipelines.

Changes:

• Add a reusable “workflow lint” workflow and wire it into the PR CI pipeline as a prerequisite for static analysis/build steps.
• Adjust scheduled (cron) workflow permissions and refine CodeQL workflow configuration/formatting.
• Improve shell robustness in publishing/docs workflows (GPG key import command and jar path quoting).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
.github/workflows/pull-request.yml	Adds a workflow-lint reusable job and makes static analysis depend on it.
.github/workflows/cron.yml	Expands workflow token permissions for scheduled runs (needs least-privilege tightening).
.github/workflows/_workflow_lint.yml	New reusable workflow running actionlint (currently downloads/executes remote script).
.github/workflows/_publish-docs.yml	Tweaks delombok jar invocation quoting.
.github/workflows/_publish-code.yml	Changes how the GPG secret key is piped into gpg --import.
.github/workflows/_codeql.yml	Cleans up CodeQL workflow content/format and sets language to Java explicitly.
.github/workflows/_build.yml	Changes how the GPG secret key is piped into gpg --import during build/tests.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.