chore(ci): harden GitHub Actions

[natemoo-re]

What does this PR do?

Hardens our workflows in response to GHSA-g7cv-rxg3-hmpx.

• Replaces secrets: inherit with explicit secret pass-through on all workflows (or drops entirely where no secrets are needed)
• Pins all bombshell-dev/automation reusable workflow refs to SHA (3a8b4a38..., main as of 2026-05-12)
• Adds permissions: {} default-deny at workflow level on all workflow files
• Adds .github/dependabot.yml for automated SHA bumps on GitHub Actions

Type of change

• Bug fix
• Feature
• Refactor (no behavior change)
• Documentation
• Performance improvement
• Tests
• Chore (dependencies, CI, tooling)

AI-generated code disclosure

• This PR includes AI-generated code

Claude helped 🙃

[changeset-bot]

⚠️ No Changeset found

Latest commit: a50ab56

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@bomb.sh/tools@36

commit: a50ab56