feat(ci): implement CI dry-run workflow and PR checklist for history rewrite process

.github/PULL_REQUEST_TEMPLATE/history-rewrite.md

@@ -0,0 +1,23 @@
+<!-- PR: History Rewrite & Large-file Removal -->
+
+## Summary
+- Provide a short summary of why the history rewrite is needed.
+
+## Checklist - required for history rewrite PRs
+- [ ] I have created a **local** backup branch: `backup/history-YYYYMMDD-HHMMSS` and verified it contains all refs.
+- [ ] I have run a dry-run locally: `scripts/history-rewrite/preview_removals.sh --paths 'backend/codeql-db,codeql-db,codeql-db-js,codeql-db-go' --strip-size 50` and attached the output or paste it below.
+- [ ] I have verified the `data/backups` tarball is present and tests showing rewrite will not remove unrelated artifacts.
+- [ ] I have coordinated with repo maintainers for a rewrite window and notified other active forks/tokens that may be affected.
+- [ ] I have run the CI dry-run job and ensured it completes without blocked findings.
+- [ ] This PR only contains the history-rewrite helpers; no destructive rewrite is included in this PR.
+- [ ] I will not run the destructive `--force` step without explicit approval from maintainers and a scheduled maintenance window.
+
+## Attachments
+Attach the `preview_removals` output and `data/backups/history_cleanup-*.log` content.
+
+## Approach
+Describe the paths to be removed, strip size, and whether additional blob stripping is required.
+
+# Notes for maintainers
+- The workflow `.github/workflows/dry-run-history-rewrite.yml` will run automatically on PR updates.
+- Please follow the checklist and only approve after offline confirmation.

.github/workflows/dry-run-history-rewrite.yml

@@ -0,0 +1,34 @@
+name: History Rewrite Dry-Run
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  schedule:
+    - cron: '0 2 * * *' # daily at 02:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  preview-history:
+    name: Dry-run preview for history rewrite
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Debug git info
+        run: |
+          git --version
+          git rev-parse --is-shallow-repository || true
+          git status --porcelain
+
+      - name: Make CI script executable
+        run: chmod +x scripts/ci/dry_run_history_rewrite.sh
+
+      - name: Run dry-run history check
+        run: |
+          scripts/ci/dry_run_history_rewrite.sh --paths 'backend/codeql-db,codeql-db,codeql-db-js,codeql-db-go' --strip-size 50

.github/workflows/pr-checklist.yml

@@ -0,0 +1,25 @@
+name: PR Checklist Validation (History Rewrite)
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize]
+
+jobs:
+  validate:
+    name: Validate history-rewrite checklist
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Validate PR checklist
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = await github.rest.pulls.get({owner: context.repo.owner, repo: context.repo.repo, pull_number: context.issue.number});
+            const body = (pr.data && pr.data.body) || '';
+            const required = [ 'preview_removals.sh', 'data/backups', 'I will not run the destructive --force' ];
+            for (const r of required) {
+              if (!body.toLowerCase().includes(r.toLowerCase())) { core.setFailed('Missing required checklist item: '+r); return; }
+            }
+            core.info('PR checklist looks good');