[Hermes] Harden CI security, add dependabot, add .gitattributes

[Coding-Dev-Tools]

Summary

Security hardening and repo infrastructure for api-contract-guardian.

Why this change

• pages.yml checkout was the only workflow missing , leaving the GitHub token in where any later step could exfiltrate it. All other workflows (ci.yml, publish.yml) already had this hardening.
• dependabot.yml was missing — no automated dependency update tracking for pip or GitHub Actions. Weekly PRs keep deps fresh without manual effort.
• .gitattributes was missing — no line-ending enforcement, risking CRLF/LF corruption on cross-platform edits (Windows developers committing CRLF, CI seeing diffs).

What changed

• : Added to checkout step
• : New — weekly pip + GitHub Actions updates (limit 5 open PRs each)
• : New — enforce with CRLF exceptions for Windows shell scripts

Validation

• 139/139 tests pass
• ruff check: All checks passed
• YAML files validated with PyYAML
• Branch pushed successfully

Risks/rollback

• Very low risk — persist-credentials change is read-only, pages deployment doesn't need git push
• dependabot.yml only creates PRs, doesn't auto-merge
• .gitattributes change only affects new commits; existing files unaffected until re-normalized

Follow-ups

• Monitor first dependabot PRs next Monday
• Consider adding .editorconfig for multi-language consistency

[Coding-Dev-Tools]

Sentinel review - REQUEST CHANGES: This PR has merge conflicts (dirty state). Please rebase onto current main and resolve conflicts. The changes themselves look good (checkout token hardening + dependabot + .gitattributes) but need a clean branch before merge.

[Coding-Dev-Tools]

🛡️ Sentinel Review: Good changes (CI hardening + dependabot + .gitattributes) but this PR has merge conflicts (mergeable_state: dirty). Please rebase onto main and resolve conflicts before this can be merged.