ci: adopt storage-go's GitHub Actions setup

[Xe]

Summary

• Mirror tigrisdata/storage-go's GitHub Actions setup so objgit gets the same test matrix, supply-chain checks, and automated releases.
• Adds CI workflows (build/test/staticcheck, zizmor, PR-title lint, DCO), the semantic-release release pipeline, and the local commit hooks that back it.

Details

Workflows (.github/workflows, all SHA-pinned):

• go.yml — matrix build/test across ubuntu/windows/macos + arm variants, running go vet, go test, and staticcheck on every push and PR. The full OS matrix matters because objgit shells out to git/ssh/ssh-keygen for its protocol tests, so cross-platform regressions are real. A trailing autorelease job dispatches release.yaml on main.
• zizmor.yml — scans the workflow files for CI misconfig and uploads SARIF; runs only when a workflow changes.
• lint-pr-titles.yaml — enforces conventional-commit PR titles (what semantic-release reads to pick the version bump).
• dco_check.yaml — requires Signed-off-by on every PR.
• pull_request_template.md.

Release tooling:

• package.json carries the semantic-release config plus commitlint, lint-staged, and prettier. npmPublish is off — this is a Go binary; semantic-release is used purely for tagging/changelog/GitHub releases.
• release.yaml runs semantic-release on a throwaway release-* branch and opens a release PR (needs the WRITE_GH_TOKEN secret).
• .husky/{commit-msg,pre-commit} wire commitlint + npm test and lint-staged into git hooks; package-lock.json is committed so npm ci is reproducible.

Build/tooling:

• Add goimports and staticcheck as go tool directives so the format hook and local linting work without global installs. go mod tidy also dropped a stale self-referential require on the old tangled.org module path left from the org move.
• Drop the unused embedded s3Client from optRecorder in resilient_test.go — it overrides all nine interface methods directly, so the embed was dead and tripped staticcheck (U1000), which would have made the new pipeline red on first run.

Docs: consolidate agent guidance into AGENTS.md and point CLAUDE.md at it, matching storage-go's layout.

Test plan

• go build ./...
• go vet ./...
• go tool staticcheck ./... — clean
• go test ./... — all pass
• commit hooks (commitlint + lint-staged + npm test) verified by the commit itself
• Action item: set the WRITE_GH_TOKEN repo secret before relying on release.yaml
• Watch the Windows matrix legs on first run (git/ssh shell-out tests)

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.