Update security docs with tiered action pinning policy

[annakrystalli]

Summary

• Add tiered action pinning policy documentation (Tier 1/2/3)
• Add CodeQL trusted owners model pack documentation
• Update dependabot template with patch ignore and minor/major grouping config
• Add process for evaluating and adding new third-party actions to hubverse workflows
• Link to hubverse-developer-actions README as the practical pinning reference

Changes to security.md

• Action pinning policy section: describes the three tiers and when to use each
• CodeQL trusted owners model pack section: explains why it exists and how to maintain it
• Dependabot template: updated with ignore (skip patches) and groups (combine minor+major into single PR) config, plus explanation of what each setting does
• Adding a new third-party action section: step-by-step checklist for evaluating trust tier, pinning, allowlist, and model pack updates

Dependencies

• Links to the hubverse-developer-actions README which is in an open PR: Implement tiered action pinning policy hubverse-developer-actions#19. That PR should be merged first so the README links resolve correctly.

Context

• Closes Update security docs to reflect tiered action pinning policy #449

🤖 Generated with Claude Code