Harden dependency automation and remediate Trivy action supply-chain exposure

[Copilot]

This PR tightens dependency update automation and CI security reporting while addressing the flagged Trivy action compromise window. It adds structured Dependabot policies, constrains bot-driven merge behavior, and upgrades Trivy action usage to a patched release line.

• Dependabot update policy

  • Added .github/dependabot.yml with daily npm updates, grouped by dependency type and semver level.
  • Applied consistent dependency labels and commit prefixes for production vs development updates.
  • Kept major updates explicitly separated for manual review flow.

• Dependabot auto-merge controls

  • Added .github/workflows/dependabot-automerge.yml.
  • Switched trigger to pull_request_target (still gated to github.actor == 'dependabot[bot]') and removed PR checkout for safer token usage.
  • Auto-approval/auto-merge applies to patch/minor updates without brittle mergeable_state gating; gh pr merge --auto handles readiness.
  • Major updates are labeled correctly as two labels (major-update, needs-review) instead of merged.

• CI dependency security scan + advisory remediation

  • Enhanced .github/workflows/ci.yml with Trivy filesystem scan and SARIF upload.
  • Upgraded aquasecurity/trivy-action from 0.28.0 to 0.35.0 to move out of vulnerable ranges.
  • Pinned third-party actions to immutable commit SHAs for supply-chain hardening.

# .github/workflows/ci.yml
- name: Dependency Security Scan
  uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
  with:
    scan-type: 'fs'
    ignore-unfixed: true
    format: 'sarif'
    output: 'trivy-results.sarif'

- name: Upload Trivy results
  if: success() || failure()
  uses: github/codeql-action/upload-sarif@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3
  with:
    sarif_file: 'trivy-results.sarif'

[Copilot]

Pull request overview

This PR strengthens dependency maintenance and CI security reporting by introducing Dependabot configuration, adding a Dependabot auto-approval/auto-merge workflow, and integrating a Trivy filesystem scan with SARIF upload into CI.

Changes:

• Added .github/dependabot.yml to standardize daily npm updates with grouping, labels, and commit message prefixes.
• Added a Dependabot PR auto-approve/auto-merge workflow for patch/minor updates and labeling for major updates.
• Extended CI with a Trivy FS scan and SARIF upload, along with tightened workflow permissions.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/dependabot-automerge.yml	Introduces bot-gated auto-approval/auto-merge and labeling logic for Dependabot PRs.
.github/workflows/ci.yml	Adds Trivy scan + SARIF upload and sets explicit workflow permissions for security event reporting.
.github/dependabot.yml	Configures Dependabot cadence, grouping, labeling, and commit message conventions for npm updates.

[SMSDAO]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied the requested thread fixes in commit 09183d1: switched Dependabot workflow to pull_request_target, removed brittle mergeable_state gating, fixed major-update labeling to add two labels correctly, and pinned Trivy/SARIF actions to full SHAs in CI. Validation passed (pnpm lint, pnpm typecheck, pnpm test, and parallel validation).