feat: dependabot workflow

[justanothersynth]

Description

Add org-wide Dependabot infrastructure: GitHub Actions workflows for automated vulnerability lifecycle management and private CodeArtifact package support, plus comprehensive documentation.

The webhook handler that drives real-time alert/PR triage is deployed as an AWS Lambda in the infra repo — this PR adds the supporting workflows and org-level configuration it depends on.

Overview

graph TD
    subgraph webhook ["Org Webhook → AWS Lambda"]
        GH["GitHub Events"] --> Lambda["dependabot-webhook\n(AWS Lambda)"]
        Lambda -->|"dependabot_alert.created"| AlertHandler[Alert Handler]
        Lambda -->|"pull_request.opened"| PRHandler[PR Handler]
        Lambda -->|"pull_request.closed+merged"| MergeHandler[Merge Handler]
    end

    subgraph actions ["Slack + Linear + GitHub API"]
        AlertHandler -->|"post"| Slack["Slack\n(GHSA-keyed thread)"]
        AlertHandler -->|"create ticket"| Linear["Linear\n(GHSA in title)"]
        PRHandler -->|"reply in thread"| Slack
        PRHandler -->|"comment on ticket"| Linear
        PRHandler -->|"auto-merge / label"| GitHubAPI[GitHub API]
        MergeHandler -->|"reply: resolved"| Slack
    end

    subgraph infra [Infrastructure Workflows]
        Refresh["refresh_codeartifact_token\n(every 10h)"] -->|"rotates"| CASecret["Org Dependabot secret:\nCA_TOKEN"]
        Sync["sync_dependabot_config\n(daily)"] -->|"opens PRs"| DYml["dependabot.yml\n(per repo)"]
    end

Loading

• refresh_codeartifact_token.yml — Rotates the CodeArtifact auth token every 10 hours and stores it as an org-level Dependabot secret (CA_TOKEN), keeping Dependabot able to resolve private packages like amera-core and amera-workflow
• sync_dependabot_config.yml — Syncs a canonical dependabot.yml template to every repo with a CodeArtifact-backed pyproject.toml, opening PRs (not direct pushes) for SOC2 compliance, with Slack + Linear notifications
• dependabot-template.yml — Single source of truth for Dependabot config across Python repos (CodeArtifact registry, pip/docker/github-actions ecosystems)
• Updated README with architecture diagrams, org webhook setup, prerequisites, and documentation for the skip list and template update workflow

Contributes to AMR-1652

Risk Level

• Low — minor change, no impact on production data or security

Rollback Plan

Revert this PR and remove the org webhook. The Lambda (deployed separately in the infra repo) is stateless — removing it simply stops Dependabot notifications and auto-merge. The refresh and sync workflows are new scheduled jobs — removing them stops token rotation and config syncing. No impact on application behavior.

PHI Impact

• This change affects systems that create, receive, maintain, or transmit PHI — HIPAA impact reviewed

Testing

• Tested in non-production environment

[Katyaraa1]

We should probably rewrite this to a lambda