[feature] Migrate complete CI/CD pipeline (tier policy, baseline + extended + heavy workflows, quality tooling)

[yreyricord]

Scope of the proposal

CI/CD or tooling improvement

Most impacted component

CI / GitHub Actions

Problem statement and motivation

The BIOMASS BPS repository currently has no continuous integration. As a result:

• No automated test execution on pull requests. Regressions ship by accident.
• No automated quality gates (lint, REUSE, DCO, security scanning).
• No risk-based classification of contributions. A scientifically critical change is treated the same as a typo fix.
• No way to enforce coding standards before merge.
• No reproducible build environment between contributors.
• Maintainers cannot demonstrate to ESA or external auditors that every contribution is verified before integration.

This issue delivers the full CI/CD pipeline as a single cohesive system: the tier-policy judge that classifies every PR, the three tier-graduated workflows that run the appropriate level of validation, the test scaffold that the workflows execute against, and the developer-side quality tooling (pre-commit, ruff, nox) that lets contributors catch issues locally before pushing.

Proposed solution

Add the following files in a single PR:

Tier policy (the judge):

• .github/tier-policy.yml single source of truth declaring locked_paths, sme_owned_paths, tier_2_paths, and promotion rules. Read from the PR base branch (never from the PR head, to prevent a PR from modifying its own judge).
• scripts/ci_tier_decision.py computes the tier from the diff between base and head.
• scripts/check-dco-commit-msg.sh verifies every commit carries a Signed-off-by: trailer.

Workflows (tier-graduated):

• .github/workflows/ci.yml baseline. Runs on every PR. Jobs: tier-decision, dco, reuse, lint, baseline-tests, build. All jobs must be green for the PR to be eligible for merge.
• .github/workflows/extended-ci.yml extended. Runs when the tier decision returns 1 or 2. Adds extended-tier tests on top of baseline.
• .github/workflows/heavy-ci.yml heavy. Runs when the tier decision returns 2, or on manual workflow_dispatch with run_heavy=true. Adds long-running and resource-intensive tests.

Test harness scaffold:

• pytest.ini pytest configuration with markers baseline, extended, heavy.
• test/baseline/test_baseline_placeholder.py minimal placeholder test the baseline workflow runs against.
• test/extended/test_extended_placeholder.py placeholder for extended.
• test/heavy/test_heavy_placeholder.py placeholder for heavy.

Developer-side quality tooling:

• .pre-commit-config.yaml hooks for ruff, REUSE lint, end-of-file fixer, trailing whitespace, large file guard.
• ruff.toml lint and format configuration.
• noxfile.py common developer commands (nox -s test, nox -s lint, nox -s docs).
• scripts/noxfile_common.py shared helpers across nox sessions.
• scripts/fawltydeps.toml — dead dependency detection.
• pyproject.toml tool configuration sections only ([tool.ruff], [tool.pytest.ini_options], etc.). Does not touch package dependencies.

Alternatives considered

No response

Expected impact

Dependencies	New CI-only dev dependencies: ruff, pre-commit, nox, reuse, fawltydeps, pytest. None added to runtime.
Documentation	Contributing guide must reference the tier model and the local quality commands.
Validation	PRs cannot be merged unless CI is green (enforced by branch protections in a separate later issue).

Additional context

No response

Pre-submission checklist

• I have searched existing issues and discussions for a similar proposal.
• I have read the contributing guidelines and the project governance.
• I am available to discuss the design before any implementation starts.