Consolidate dependency updates and security hardening into single PR

[Copilot]

Multiple open Dependabot and StepSecurity PRs (#177, #186, #189–#200, #201) accumulating independently — consolidated into one reviewable/mergeable unit.

Python dependencies (requirements.txt)

Package	Old	New
boto3	1.42.39	1.42.63
discord.py	2.6.4	2.7.1
google-genai	1.61.0	1.66.0
google-api-python-client	2.188.0	2.192.0
protobuf	6.33.5	7.34.0
python-dotenv	1.2.1	1.2.2
pip	26.0	26.0.1

⚠️ protobuf 7.x includes breaking Python API changes — verify runtime behavior.

GitHub Actions version bumps

• docker/setup-buildx-action v3 → v4
• docker/login-action v3 → v4
• docker/metadata-action v5 → v6
• docker/build-push-action v6 → v7
• actions/upload-artifact v5 → v7

StepSecurity hardening (PR #201)

• Added step-security/harden-runner (egress audit mode) to all workflow jobs
• Added top-level permissions: contents: read to workflows missing it
• Pinned actions/checkout, actions/setup-python, codecov/codecov-action, github/codeql-action/*, actions/dependency-review-action, aquasecurity/trivy-action to full commit SHAs
• Pinned Docker/Dockerfile base image python:3.14-slim to digest SHA
• Added scorecards.yml — OpenSSF Scorecard supply-chain security workflow
• Added .pre-commit-config.yaml — gitleaks, shellcheck, pre-commit-hooks, pylint
• Added pip ecosystem for /Docker dir to dependabot.yml

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Consolidate all PR's to one with dependency updates</issue_title>
<issue_description>Various PR's with new versions, consolidate to one PR to be able to review and merge </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Consolidate all PR's to one with dependency updates #202

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.