feat(security): refine Dependabot notifications

[gopal-raj-suresh]

Summary

• Refines the Google Chat notification workflow to use threading per repo, three event-driven card variants (safe update, major review, merged), and a more reliable JSON payload builder
• Adds a pip range classifier to the auto-merge workflow so pip dependencies that use version ranges (e.g. >=0.24.0 to >=0.28.1) are correctly classified and auto-merged for minor/patch bumps
• Moves the weekly scheduled SDLE scan from Monday 06:00 UTC to Friday 12:00 UTC (7 AM CDT)

Type of Change

• Bug fix
• New feature / enhancement
• Documentation update
• Refactor (no behavior change)
• Chore (dependencies, CI, tooling)

Changes Made

• .github/workflows/dependabot-gchat-notify.yml: rewritten with per-repo threadKey, friendly ecosystem and update-type labels, and CVSS shown only when meaningful
• .github/workflows/dependabot-auto-merge.yml: classify step added to handle null update-types from Dependabot's fetch-metadata for pip range expressions
• .github/workflows/code-scans.yaml: cron updated from 0 6 * * 1 to 0 12 * * 5

How to Test

1. Confirm the existing GOOGLE_CHAT_WEBHOOK_URL repo secret is still in place (gh secret list).
2. Wait for the next Dependabot PR — confirm the new card design appears in the team Google Chat space, threaded under this repo.
3. Confirm minor/patch PRs (including pip range updates) auto-merge as expected.
4. Major-bump PRs continue to require human review and trigger the warning card.
5. Next Friday at 7 AM CDT, confirm the weekly scheduled scan runs.

Checklist

• I have read the Contributing Guide
• My branch is up to date with main
• New environment variables (if any) are documented in .env.example and the README
• No secrets, API keys, or credentials are included in this PR
• I have tested my changes locally