Application security in CI

[smlx]

This issue tracks the rollout of application security in CI.

Requires workflow updates:

• Dependabot Version updates
• dependency review
• OpenSSF scorecard and best practices (badges in README)
• release artifact signing
• release SBOMs
• coverage (badge in README)
• code linters

Requires repository config updates, after workflows updates are merged:

• Dependabot Alerts
• Dependabot Security updates
• CodeQL
• secret scanning and push protection
• private vulnerability reporting