chore(audit-2026-05): apply org-uniform CI/release/README baseline

- Phase C: add .github/workflows/sync-release-branch.yml so release branch auto-tracks vX.Y.Z tags.

- Phase E: add .github/dependabot.yml with weekly cadence + correct ecosystems.

- Phase F: inject org-uniform README badge row + release-model section (idempotent markers).

See embeddedos-org/.github/STANDARDS.md for the canonical release model and tag scheme.

This commit is part of the 2026-05 production-readiness audit.

Author: srpatcha

.github/dependabot.yml

@@ -1,9 +1,75 @@
-# Dependabot disabled — dependency updates are managed manually.
-# To re-enable, set open-pull-requests-limit to a positive number.
+# Standard, org-uniform Dependabot configuration template.
+#
+# Each repo should drop this file at .github/dependabot.yml and uncomment the
+# ecosystem entries that apply. Keep weekly cadence so review backlogs stay
+# manageable. Auto-assigning all PRs to a single triage owner (@srpatcha)
+# prevents the "ten people CC'd, no one acts" failure mode.
+#
+# Reference template lives at embeddedos-org/.github/.github/dependabot-template.yml.
+
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  # GitHub Actions — every repo should keep this enabled.
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 0
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    assignees:
+      - srpatcha
+    labels:
+      - dependencies
+      - github-actions
+
+  # Python — uncomment in repos with pyproject.toml or requirements.txt.
+  # - package-ecosystem: pip
+  #   directory: /
+  #   schedule:
+  #     interval: weekly
+  #     day: monday
+  #   open-pull-requests-limit: 5
+  #   assignees:
+  #     - srpatcha
+  #   labels:
+  #     - dependencies
+  #     - python
+
+  # Node.js — uncomment in repos with package.json.
+  # - package-ecosystem: npm
+  #   directory: /
+  #   schedule:
+  #     interval: weekly
+  #     day: monday
+  #   open-pull-requests-limit: 5
+  #   assignees:
+  #     - srpatcha
+  #   labels:
+  #     - dependencies
+  #     - npm
+
+  # Go — uncomment in repos with go.mod.
+  # - package-ecosystem: gomod
+  #   directory: /
+  #   schedule:
+  #     interval: weekly
+  #     day: monday
+  #   open-pull-requests-limit: 5
+  #   assignees:
+  #     - srpatcha
+  #   labels:
+  #     - dependencies
+  #     - go
+
+  # Docker — uncomment in repos with Dockerfile.
+  # - package-ecosystem: docker
+  #   directory: /
+  #   schedule:
+  #     interval: weekly
+  #     day: monday
+  #   open-pull-requests-limit: 3
+  #   assignees:
+  #     - srpatcha
+  #   labels:
+  #     - dependencies
+  #     - docker

.github/workflows/sync-release-branch.yml

@@ -0,0 +1,72 @@
+name: sync-release-branch
+
+# When a vMAJOR.MINOR.PATCH (or rc) tag is pushed to master, force-push that
+# exact commit to the `release` branch so `release` is always a rolling
+# pointer to the latest released tag. This is the org-uniform release model:
+#
+#   master   = line of development, every PR lands here.
+#   release  = exact commit of the latest released vX.Y.Z tag, updated only
+#              by this workflow. Never push to release manually.
+#   tags     = immutable named snapshots created on master.
+#
+# Mirror of this file lives in embeddedos-org/.github/.github/workflows/sync-release-branch.yml.
+# Drift from that template should be considered a bug.
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+'
+
+permissions:
+  contents: write
+
+concurrency:
+  group: sync-release-branch
+  cancel-in-progress: false
+
+jobs:
+  sync:
+    name: Force-push tag commit to release branch
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout tagged commit
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          ref: ${{ github.ref }}
+
+      - name: Compute target SHA
+        id: target
+        run: |
+          sha=$(git rev-parse HEAD)
+          echo "sha=$sha" >> "$GITHUB_OUTPUT"
+          echo "Force-pushing $sha (from tag ${GITHUB_REF#refs/tags/}) to refs/heads/release"
+
+      - name: Force-push to release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          # Try to update; if release doesn't exist, create it.
+          if gh api "repos/${GITHUB_REPOSITORY}/git/refs/heads/release" >/dev/null 2>&1; then
+            gh api -X PATCH "repos/${GITHUB_REPOSITORY}/git/refs/heads/release" \
+              -f sha="${{ steps.target.outputs.sha }}" -F force=true >/dev/null
+            echo "release fast-forwarded / force-updated"
+          else
+            gh api -X POST "repos/${GITHUB_REPOSITORY}/git/refs" \
+              -f ref=refs/heads/release -f sha="${{ steps.target.outputs.sha }}" >/dev/null
+            echo "release created"
+          fi
+
+      - name: Summary
+        run: |
+          {
+            echo "## release branch updated"
+            echo ""
+            echo "- tag:   \`${GITHUB_REF#refs/tags/}\`"
+            echo "- sha:   \`${{ steps.target.outputs.sha }}\`"
+            echo "- repo:  \`${GITHUB_REPOSITORY}\`"
+            echo ""
+            echo "release branch now points at the same commit as the tag."
+          } >> "$GITHUB_STEP_SUMMARY"

README.md

@@ -1,5 +1,14 @@
 # EmbeddedOS (EoS) Research Foundation
 
+<!-- begin: org-uniform badges (audit-2026-05) -->
+[![CI](https://github.com/embeddedos-org/www.embeddedos.org/actions/workflows/ci.yml/badge.svg)](https://github.com/embeddedos-org/www.embeddedos.org/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/embeddedos-org/www.embeddedos.org/actions/workflows/codeql.yml/badge.svg)](https://github.com/embeddedos-org/www.embeddedos.org/actions/workflows/codeql.yml)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/embeddedos-org/www.embeddedos.org/badge)](https://securityscorecards.dev/viewer/?uri=github.com/embeddedos-org/www.embeddedos.org)
+[![Release](https://img.shields.io/github/v/tag/embeddedos-org/www.embeddedos.org?label=release&sort=semver)](https://github.com/embeddedos-org/www.embeddedos.org/releases)
+[![License](https://img.shields.io/github/license/embeddedos-org/www.embeddedos.org)](LICENSE)
+<!-- end: org-uniform badges (audit-2026-05) -->
+
+
 [![Validate & Deploy](https://github.com/embeddedos-org/www.embeddedos.org/actions/workflows/deploy.yml/badge.svg)](https://github.com/embeddedos-org/www.embeddedos.org/actions/workflows/deploy.yml)
 [![Website Tests](https://github.com/embeddedos-org/www.embeddedos.org/actions/workflows/tests.yml/badge.svg)](https://github.com/embeddedos-org/www.embeddedos.org/actions/workflows/tests.yml)
 [![Weekly Release](https://github.com/embeddedos-org/www.embeddedos.org/actions/workflows/weekly-release.yml/badge.svg)](https://github.com/embeddedos-org/www.embeddedos.org/actions/workflows/weekly-release.yml)
@@ -165,6 +174,19 @@ gh variable set SENTRY_DSN --body "https://...@sentry"  # Error monitoring
 | [embeddedos-org.github.io/eApps](https://embeddedos-org.github.io/eApps/) | App Store — browse/download 60+ apps |
 | [github.com/embeddedos-org](https://github.com/embeddedos-org) | GitHub organization — all source code |
 
+<!-- begin: release-model (audit-2026-05) -->
+## Release model
+
+`master` is the line of development; every PR lands here. `release` is a
+rolling pointer to the latest released `vX.Y.Z` tag, updated automatically
+by [`.github/workflows/sync-release-branch.yml`](.github/workflows/sync-release-branch.yml).
+Tags are immutable.
+
+See [embeddedos-org/.github/STANDARDS.md](https://github.com/embeddedos-org/.github/blob/master/STANDARDS.md)
+for the org-wide tag scheme, release model, and the compliance frameworks
+every product targets.
+<!-- end: release-model (audit-2026-05) -->
+
 ## License
 
 MIT — see [LICENSE](licenses.html) for details.