chore(ci): harden GitHub Actions

[natemoo-re]

What does this PR do?

Hardens our workflows in response to GHSA-g7cv-rxg3-hmpx. Workflows are also being hardened upstream in automations#22.

• Replaces secrets: inherit with explicit secret pass-through on all workflows (or drops entirely where no secrets are needed)
• Pins all bombshell-dev/automation reusable workflow refs to SHA (3a8b4a38..., main as of 2026-05-12)
• Pins ljharb/require-allow-edits to SHA (be4a9d13..., v2)
• Adds permissions: {} default-deny at workflow level on all 7 workflow files
• Adds owner guard to detect-agent.yml jobs
• Narrows preview.yml PR trigger types to [opened, synchronize, reopened]
• Adds .github/dependabot.yml for automated SHA bumps on GitHub Actions

Type of change

• Bug fix
• Feature
• Refactor (no behavior change)
• Documentation
• Performance improvement
• Tests
• Chore (dependencies, CI, tooling)

AI-generated code disclosure

• This PR includes AI-generated code

Claude helped 🙃

[changeset-bot]

⚠️ No Changeset found

Latest commit: c30bb6d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

• @example/basic

• @example/changesets

  npm i https://pkg.pr.new/@clack/core@541
  

  npm i https://pkg.pr.new/@clack/prompts@541
  

commit: c30bb6d

[dreyfus92]

thank you nate ✌🏻