ADR-0018: Upstream CI Security/Performance Freshness Gates for Release Policy

Context

Release decisions must reflect recent upstream security and performance outcomes, not stale historical passes.

Make upstream CI gate freshness a hard release policy requirement.

•Required upstream workflows: security scan and performance gate.

•Latest completed runs on target branch must be successful and within max age policy.

•Missing credentials/metadata for gate checks fail closed.

•Release posture is anchored to current risk signal.

•Eliminates stale-pass blind spots.

•Additional dependency on CI metadata and API access.

•scripts/release-validation/validate-upstream-ci-gates.sh

•.github/workflows/deploy-docker.yml