chore(repo): fix license detection and add github workflows

LICENSE now starts with the EUPL-1.2 standard header so github-linguist
detects the licence correctly in the repo header. The dual-copyright
block (upstream ChatTwo authors plus Hellion Online Media) moves into a
new COPYRIGHT file referenced from the README. NOTICE.md and
UPSTREAM_SYNC.md stay as-is.

New files under .github:

- workflows/build.yml: validates every push to main and every PR
  against the current Dalamud staging branch on a Windows runner
- workflows/release.yml: builds Release on every v* tag, locates the
  DalamudPackager latest.zip and attaches it to the matching GitHub
  Release via softprops/action-gh-release
- dependabot.yml: weekly NuGet sweeps and monthly GitHub Actions
  sweeps with conventional-commit prefixes, grouped patch and minor
  PRs to cut review noise
- ISSUE_TEMPLATE/bug_report.yml + feature_request.yml + config.yml:
  structured intake that pushes security reports through the private
  advisory flow and routes upstream-only issues to ChatTwo
- SECURITY.md: documents the vulnerability reporting channels, scope,
  and target disclosure window

The release workflow replaces the previous manual upload step. Tag a
release and the ZIP shows up on the release page automatically.

SECURITY.md

@@ -0,0 +1,49 @@
+# Security policy
+
+## Reporting a vulnerability
+
+If you find a security issue in HellionChat, please do not open a public
+GitHub issue. Use one of the private channels below instead so we can
+investigate and ship a fix before the details go out.
+
+**Preferred:**
+[Privately report a vulnerability](https://github.com/JonKazama-Hellion/HellionChat/security/advisories/new)
+through GitHub's Security Advisories. This routes the report directly to
+me and keeps the conversation off the public timeline.
+
+**Alternative:**
+- Email: `maintainer@hellion-media.de`
+- Discord: `@j.j_kazama`
+
+I respond on weekdays during European business hours. For urgent
+disclosures (active exploitation, user-data exposure) email is the
+fastest path.
+
+## What I treat as in scope
+
+- Code paths in HellionChat that touch user-controlled input (chat
+  messages, plugin config, file paths the user can influence)
+- The privacy filter in MessageStore.cs and the export pipeline
+- The Configuration migration logic
+- The EmoteCache HTTP client and path handling
+- The Auto-Tell-Tabs spawn logic and history preload
+
+## What is not in scope
+
+- Issues in upstream Chat 2 that we have not modified — please report
+  those at <https://github.com/Infiziert90/ChatTwo/issues>
+- Issues in Dalamud itself — those go to <https://github.com/goatcorp/Dalamud>
+- Issues in the FFXIV game client
+- Anything that needs the user to install a malicious plugin first
+
+## Acknowledgement
+
+I list everyone who reports a real issue in the changelog of the release
+that fixes it, unless they prefer to stay anonymous. No bug bounty,
+nothing financial; this is a hobby plugin.
+
+## Disclosure window
+
+I aim to ship a fix within 14 days for high-severity issues and within
+30 days for everything else. If a fix needs more time I will say so in
+the private thread.