Add security update workflow for automated dependency fixes

[Alyssa Evans (alycda)]

Closes: SPO-480

Summary

This PR adds a GitHub Actions workflow that enables automated security vulnerability remediation through integration with a centralized reusable workflow. The workflow accepts security alerts from an external automation system and triggers Claude-powered dependency updates.

Key Changes

• Added .github/workflows/security-update.yml - a per-repository caller workflow that:
  • Accepts manual workflow dispatch inputs for package ecosystem, vulnerability alerts, and related metadata
  • Supports multiple package ecosystems (npm, cargo, docker, go, python)
  • Integrates with Linear for ticket tracking
  • Delegates to a centralized reusable workflow in getditto/.github for the actual fix implementation
  • Passes security alerts as JSON, batch identifiers for tracking, and configurable reviewers for PRs

Implementation Details

• The workflow is designed as a thin caller that forwards inputs to getditto/.github/.github/workflows/security-update-claude.yml@main
• Requires ANTHROPIC_API_KEY secret for Claude API integration
• Default reviewers are set to security-team,copilot but can be customized per invocation
• Follows the pattern described in TINES_AUTOMATION.md for centralized security automation

https://claude.ai/code/session_01Ag2LMg9XN7ZDopg3dkVmeb

[Alyssa Evans (alycda)]

https://github.com/getditto/ditto/blob/66dfe00d3efac806ca4b1cf6b1b0a56033883e60/TINES_AUTOMATION.md