feat: require a lockfile for project dependencies exists as an option

[zimeg]

🧠 Per wonderful suggestion of @mwbrooks:

I wonder if the Health Score workflow could check that node.js projects include a package-lock.json?

Some benefits might include:

• Proper updates from @dependabot: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versioning-strategy--
• Stable checks in CI and on machine: Versions won't drift between installations.

I'm a fan of this idea too and think we can consider a lockfile attribute as inputs to this action. I'm not sure if SDKs should require this check at this time, but we might consider a modified extension input if so:

slack-health-score/action.yml

Lines 4 to 5 in acb3d31

	extension:
	description: 'File extension of files to filter on to report health score on. E.g. "js" or "go"'

Also, I believe #104 can address using pinned versions in GitHub Workflows while this issue might focus on other project ecosystems.