PR automation and repo/workflow-hardening

[martincostello]

This PR makes a number of changes to GitHub actions to automate more of the repo maintenance and also hardens the repo against various recommendations that are made by the Open Source Software Foundation (OSSF) Scorecard.

The automation is based on the approaches in this repository.

Changes:

• Add a GitHub Actions workflow to run a CodeQL scan.
• Add a workflow to review dependencies.
• Validates the NuGet packages before publishing.
• Publish packages to NuGet as a separate job after the build.
• Harden GitHub workflows by pinning actions by Git SHA.
• Use reusable workflow for updating the .NET SDK.
• Use a GitHub app to generate updates instead of GITHUB_TOKEN so that CI runs.
• Add a workflow to automatically approve and merge .NET SDK updates.
• Add a workflow to automatically approve and merge dependabot updates for GitHub-authored actions.

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (main@d11583a). Click here to learn what that means.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #468   +/-   ##
=======================================
  Coverage        ?   95.08%           
=======================================
  Files           ?       27           
  Lines           ?      610           
  Branches        ?        0           
=======================================
  Hits            ?      580           
  Misses          ?       30           
  Partials        ?        0           

Flag	Coverage Δ
linux	95.08% <0.00%> (?)
macos	94.26% <0.00%> (?)
windows	94.09% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more