ci: enable GitHub Advanced Security (GHAS)

[microsasa]

Several security features require GHAS for private repositories:

• CodeQL code scanning (see ci: enable CodeQL code scanning #7)
• Dependency review action (blocks PRs introducing vulnerable deps)
• Secret scanning with push protection
• Copilot Autofix for vulnerabilities

Options:

1. Subscribe to GitHub Secret Protection ($19/mo) + Code Security ($30/mo) per committer
2. Make the repo public (all features free)
3. Wait for GitHub to expand free tier