ci: enable free GitHub security features

[microsasa]

Enable all free GitHub security features for the repository:

• CodeQL code scanning on PRs to main + weekly schedule
• Dependabot alerts for vulnerable dependency notifications
• Dependabot automated security updates (auto-PRs to fix vulnerabilities)

Note: Dependency review action requires GHAS (paid) for private repos — not applicable.

[microsasa]

Dependabot alerts and security updates enabled via API. CodeQL deferred to #7.