Add automated Dependabot PR review agent with security analysis

[Copilot]

Automates review of Dependabot PRs with dependency change analysis and security impact assessment.

Implementation

Workflow (.github/workflows/dependabot-review.yml)

• Triggers on Dependabot PRs (opened/synchronize/reopened)
• Extracts version changes from go.mod, Dockerfile, GitHub Actions
• Generates GitHub compare URLs and release notes links for affected dependencies
• Runs optional govulncheck vulnerability scanning
• Posts structured review comment with findings

Risk Detection

• Flags critical dependencies: k8s.io/{api,apimachinery,client-go}, sigs.k8s.io/cluster-api, sigs.k8s.io/controller-runtime
• Auto-applies high-risk-dependency-update label
• Issues workflow warnings for manual review

Review Comment Structure

🤖 Dependabot Dependency Review
├── 📦 Go Module Changes (diff + version analysis)
├── 🛡️ Security Analysis Results (vulnerabilities, outdated deps)
├── 🔒 Security Considerations (checklist)
└── ✅ Recommended Actions (review/test/verify)

Documentation

• docs/Dependabot-Review-Agent.md: Architecture, workflow behavior, troubleshooting
• README.md: Added documentation link

Example Output

For a PR bumping k8s.io/api v0.30.0 → v0.31.0:

• Version comparison with release notes link
• Direct compare view
• High-risk label applied (critical dependency)
• Security scan results
• Action items for reviewer

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[wikkyk]

This is just an idea that I had that I didn't want to get lost. I think I want this to also have an LLM write up a summary of the code changed in the deps. It should run after the stuff I described in #635.