chore: Incorporate cargo-audit to CI

[mrnaveira]

Currently we don't have automated process to detect vulnerabilities in our dependencies.

We could integrate something like cargo-audit to our CI process (e.g. to be triggered on pull requests).

For more context:

• We already know that we have dependencies that need upgrading, so we should exclude them from cargo-audit until they are fixed, so only new dependency warnings are reported.
• We used to have a bot that bumped dependency version automatically, but was disabled years ago for some reason.

[Grinsven]

Implemented in #3823. The cargo-audit CI job runs on every PR using rustsec/audit-check v2.0.0. Configuration file at .cargo/audit.toml excludes 14 known advisories from #3338.

The ignore list covers sqlx (needs 0.8.x upgrade with breaking changes), unmaintained crates (atty, derivative, adler, instant, paste, proc-macro-error), and dependencies with no available patches (rsa Marvin Attack, protobuf recursion). cargo audit exits with code 0 locally confirming all current vulnerabilities are properly excluded.

Testing:

• cargo audit passes (exit code 0)
• All 14 current advisories excluded
• New vulnerabilities will fail CI as expected