Merge chore/release-notes-hygiene: drop duplicated install block + retire hand-edited CHANGELOG

Triggered by Reddit feedback (sysadmin user complained that every
release page shows the same install instructions instead of what
actually changed). Two changes:

1) .github/workflows/release.yml: removed ~80 lines of hardcoded
   install/docker/helm boilerplate from the release body. Replaced
   with a single link to README.md#quick-start (the source of truth
   for install instructions). Kept the per-release supply-chain
   verification block (Cosign / SLSA / SBOM steps with the version
   baked into the commands) — that IS per-release-meaningful and the
   kind of content a security-conscious operator actually wants.
   generate_release_notes: true unchanged → GitHub auto-generates the
   'What's Changed' section from commits between this tag and the
   previous one.

2) CHANGELOG.md: replaced 1393-line hand-edited document with a
   one-paragraph stub pointing at GitHub Releases as the source of
   truth. The old CHANGELOG had drifted (everything since v2.2.0
   piled into [unreleased]; tags v2.0.55-v2.0.61 had no entries).
   A stale CHANGELOG is worse than no CHANGELOG — signals abandoned
   maintenance to operators doing security diligence. Auto-generated
   notes from commit messages work here because the project's commit
   message convention is already descriptive (see git log v2.0.50..HEAD
   for established pattern). Pre-v2.2.0 history preserved at the
   v2.2.0 git tag.

Net result: every future release page shows
  - 'What's Changed' (auto from commits, per-release-unique)
  - 'Verifying this release' (Cosign/SLSA verification, per-release-version)
  - One-line link to README install
…instead of the same 80-line install block on every release.

Verification:
  - python3 yaml.safe_load(.github/workflows/release.yml): OK
  - No internal references to CHANGELOG.md elsewhere in repo
    (grep README.md docs/ → empty)
  - Release-pipeline change is YAML-only; no Go code touched

Bundle: chore/release-notes-hygiene

.github/workflows/codeql.yml

@@ -0,0 +1,81 @@
+name: CodeQL
+
+# Public-facing SAST baseline that complements the existing security-deep-scan
+# workflow (gosec, osv-scanner, trivy, ZAP, semgrep, schemathesis, nuclei,
+# testssl) with cross-file Go and JavaScript dataflow analysis. Results land
+# in the repository's Security → Code scanning tab as a public signal — any
+# operator/security team auditing certctl can see the scan history and
+# triage state without asking.
+#
+# Why CodeQL in addition to gosec:
+#   - gosec is single-file pattern matching (catches obvious issues like
+#     `os/exec.Command(userInput)`); CodeQL does interprocedural taint
+#     tracking (catches the same issue when the userInput is laundered
+#     through several function calls or struct fields).
+#   - GitHub-native; no third-party SaaS license gate (works for BSL 1.1
+#     and other source-available licenses, unlike Aikido / Snyk / SonarCloud
+#     free tiers which require OSI-approved licenses).
+#   - SARIF results auto-deduplicate and persist on PRs, so reviewers see
+#     "this PR introduces N new findings" rather than re-running ad hoc.
+#
+# Findings that are intentional (e.g., the SSH connector's
+# InsecureIgnoreHostKey, ACME DNS solver's intentional shell-out to operator-
+# supplied scripts) get suppressed via inline `// codeql[<rule-id>]`
+# comments OR via a `.github/codeql/codeql-config.yml` query-pack tweak —
+# document the rationale in the same commit that adds the suppression so
+# the public scan-tab readers see the threat-model justification.
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+  schedule:
+    # Weekly Sunday 06:00 UTC, in addition to push/PR coverage. Catches
+    # rule-pack updates from CodeQL upstream (their Go/JS rulesets ship
+    # new queries on a roughly-monthly cadence).
+    - cron: '0 6 * * 0'
+
+permissions:
+  contents: read
+  security-events: write   # SARIF upload to GitHub code scanning
+  actions: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [go, javascript-typescript]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        if: matrix.language == 'go'
+        uses: actions/setup-go@v5
+        with:
+          # Match ci.yml + release.yml + security-deep-scan.yml.
+          go-version: '1.25.9'
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # Use the security-and-quality query suite — security finds plus
+          # maintainability/correctness issues that the smaller security-extended
+          # suite skips. Comparable scope to what Aikido / SonarCloud run.
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
+          # SARIF upload is implicit (and is what populates the Security tab).

.github/workflows/release.yml

@@ -334,75 +334,21 @@ jobs:
         run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
 
       - name: Create release with notes
+        # generate_release_notes: true asks GitHub to auto-generate the
+        # "What's Changed" section from PRs+commits between this tag and the
+        # previous one. The hardcoded body below appends a per-release
+        # supply-chain verification block (Cosign / SLSA / SBOM steps with the
+        # current version baked into the commands) plus a single link to the
+        # README's Quick Start section for install/upgrade instructions.
+        # We deliberately do NOT duplicate install instructions here — the
+        # README is the source of truth for those, and inlining them in every
+        # release page produces the kind of "every release looks identical"
+        # noise that gives operators no signal about what actually changed.
         uses: softprops/action-gh-release@v2
         with:
           generate_release_notes: true
           body: |
-            ## Installation
-
-            ### Quick Install (Linux/macOS)
-
-            ```bash
-            curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-agent.sh | bash
-            ```
-
-            ### Manual Binary Download
-
-            Download the appropriate binary for your OS and architecture:
-
-            - **Linux x86_64**: `certctl-agent-linux-amd64`
-            - **Linux ARM64**: `certctl-agent-linux-arm64`
-            - **macOS x86_64**: `certctl-agent-darwin-amd64`
-            - **macOS ARM64 (Apple Silicon)**: `certctl-agent-darwin-arm64`
-
-            Then make it executable and start the service:
-
-            ```bash
-            chmod +x certctl-agent-linux-amd64
-            sudo mv certctl-agent-linux-amd64 /usr/local/bin/certctl-agent
-            ```
-
-            ## Docker Images
-
-            Pull pre-built Docker images for server and agent:
-
-            ```bash
-            docker pull ghcr.io/shankar0123/certctl-server:${{ steps.version.outputs.VERSION }}
-            docker pull ghcr.io/shankar0123/certctl-agent:${{ steps.version.outputs.VERSION }}
-            ```
-
-            Or use the latest tag:
-
-            ```bash
-            docker pull ghcr.io/shankar0123/certctl-server:latest
-            docker pull ghcr.io/shankar0123/certctl-agent:latest
-            ```
-
-            ## Docker Compose Quick Start
-
-            ```bash
-            git clone https://github.com/shankar0123/certctl.git
-            cd certctl
-            cp deploy/.env.example deploy/.env
-            docker compose -f deploy/docker-compose.yml up -d
-            ```
-
-            ## Server Binaries
-
-            Pre-compiled server binaries are also available for direct installation:
-
-            - **Linux x86_64**: `certctl-server-linux-amd64`
-            - **Linux ARM64**: `certctl-server-linux-arm64`
-            - **macOS x86_64**: `certctl-server-darwin-amd64`
-            - **macOS ARM64 (Apple Silicon)**: `certctl-server-darwin-arm64`
-
-            ## CLI & MCP Server Binaries
-
-            The `certctl-cli` (REST API wrapper) and `certctl-mcp-server` (Model Context
-            Protocol bridge) binaries ship for all four platforms as well:
-
-            - `certctl-cli-{linux,darwin}-{amd64,arm64}`
-            - `certctl-mcp-server-{linux,darwin}-{amd64,arm64}`
+            > **Install / upgrade:** see the [Quick Start section in the README](https://github.com/shankar0123/certctl/blob/master/README.md#quick-start) for Docker Compose, agent install, Helm, and binary download instructions.
 
             ## Verifying this release
 
@@ -463,15 +409,3 @@ jobs:
               --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
               "$IMAGE"
             ```
-
-            ## Helm Chart
-
-            Deploy certctl to Kubernetes using Helm:
-
-            ```bash
-            helm repo add certctl https://github.com/shankar0123/certctl/tree/master/deploy/helm
-            helm repo update
-            helm install certctl certctl/certctl
-            ```
-
-            See `deploy/helm/certctl/` for values customization.