feat: Add Python CI workflow with UV package manager

- Add setup-python-uv composite action for fast cached Python setup
- Add python-ci.yml reusable workflow with:
  - Ruff linting and formatting
  - Pyright type checking
  - Matrix pytest with coverage enforcement
  - Bandit security scanning (SARIF upload)
- Update README with comprehensive documentation
- Based on 2025 best practices using astral-sh/setup-uv@v5

README.md

@@ -7,43 +7,104 @@ Reusable GitHub Actions workflows and composite actions for CI/CD pipelines.
 
 ## Workflows
 
-```
-.github/workflows/
-├── docker-build.yml      # Build, scan, and push Docker images
-├── terraform-plan.yml    # Terraform plan with cost estimation
-├── k8s-deploy.yml        # Kubernetes deployment with ArgoCD
-├── security-scan.yml     # SAST, DAST, dependency scanning
-└── release.yml           # Semantic release automation
-```
+| Workflow | Description |
+|----------|-------------|
+| [`python-ci.yml`](.github/workflows/python-ci.yml) | Python CI with UV (lint, type-check, test, security) |
 
 ## Composite Actions
 
-```
-actions/
-├── docker-build/         # Multi-arch Docker build
-├── terraform-plan/       # Terraform plan with PR comments
-├── k8s-deploy/           # Kubernetes deployment
-└── security-scan/        # Trivy, Grype, CodeQL
-```
+| Action | Description |
+|--------|-------------|
+| [`setup-python-uv`](actions/setup-python-uv) | Fast Python setup with UV package manager |
 
-## Usage
+## Quick Start
+
+### Python CI
 
 ```yaml
+# .github/workflows/ci.yml
+name: CI
+on: [push, pull_request]
+
 jobs:
-  build:
-    uses: ghndrx/github-actions-library/.github/workflows/docker-build.yml@main
+  ci:
+    uses: ghndrx/github-actions-library/.github/workflows/python-ci.yml@main
     with:
-      image-name: myapp
-    secrets: inherit
+      python-versions: '["3.11", "3.12", "3.13"]'
+      run-typecheck: true
+      coverage-threshold: 80
 ```
 
-## Features
+### Setup Python with UV (Composite Action)
 
-- ✅ Reusable workflows (DRY)
-- ✅ Matrix builds
-- ✅ Security scanning built-in
-- ✅ Caching optimization
-- ✅ OIDC authentication (no long-lived secrets)
+```yaml
+steps:
+  - uses: actions/checkout@v4
+  
+  - uses: ghndrx/github-actions-library/actions/setup-python-uv@main
+    with:
+      python-version: '3.12'
+      extras: 'dev,test'
+  
+  - run: uv run pytest
+```
+
+## Python CI Workflow Features
+
+The `python-ci.yml` reusable workflow provides:
+
+- **Ruff linting** - Fast Python linter with auto-fix suggestions
+- **Pyright type checking** - Strict type validation
+- **Matrix testing** - Test across multiple Python versions
+- **Coverage enforcement** - Fail if coverage drops below threshold
+- **Bandit security scanning** - Detect security vulnerabilities
+- **UV caching** - 10-100x faster than pip installs
+
+### Inputs
+
+| Input | Type | Default | Description |
+|-------|------|---------|-------------|
+| `python-versions` | string | `'["3.12"]'` | JSON array of Python versions |
+| `working-directory` | string | `.` | Project directory |
+| `run-lint` | boolean | `true` | Run Ruff linter |
+| `run-typecheck` | boolean | `true` | Run Pyright |
+| `run-tests` | boolean | `true` | Run pytest |
+| `run-security` | boolean | `true` | Run Bandit scanner |
+| `test-command` | string | `pytest --cov --cov-report=xml` | Custom test command |
+| `coverage-threshold` | number | `0` | Min coverage % (0 to disable) |
+| `extras` | string | `''` | Extra dependency groups |
+
+## Requirements
+
+Projects using the Python CI workflow should have:
+
+- `pyproject.toml` with UV-compatible configuration
+- Dev dependencies: `ruff`, `pyright`, `pytest`, `pytest-cov`, `bandit`
+
+Example `pyproject.toml`:
+
+```toml
+[project]
+name = "myproject"
+requires-python = ">=3.11"
+
+[tool.uv]
+dev-dependencies = [
+    "ruff>=0.8",
+    "pyright>=1.1",
+    "pytest>=8.0",
+    "pytest-cov>=6.0",
+    "bandit>=1.8",
+]
+
+[tool.ruff]
+line-length = 100
+target-version = "py311"
+
+[tool.pyright]
+pythonVersion = "3.12"
+typeCheckingMode = "standard"
+```
 
 ## License