feat: add Dependabot alerts workflow for automated vulnerability remediation

[davidkonigsberg]

Summary

Adds security-scanning-and-remediation.yml — the same Dependabot alerts → scaffold-PR → Slack notification workflow that already runs in fern-platform, fern-autopilot, and fern.

On workflow_dispatch, the workflow:

1. Fetches open Dependabot alerts using the default GITHUB_TOKEN (which has VulnerabilityAlerts: read)
2. Deduplicates by alert number and package name to avoid duplicate PRs
3. Creates a draft scaffold PR per alert with Devin AI remediation instructions
4. Posts to #devin-ai-prs Slack channel via DEVIN_AI_PR_BOT_SLACK_TOKEN

Requires the DEVIN_AI_PR_BOT_SLACK_TOKEN secret to be configured for Slack notifications (workflow still runs without it, just skips notifications).

Link to Devin session: https://app.devin.ai/sessions/e822eeb68f284f609de9bdc2bf7cc22d
Requested by: @davidkonigsberg

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring