feat(github): add upgrade main workflow

[krokoko]

Automated dependency upgrades: add an upgrade-main GitHub workflow that runs on a schedule and on demand, uses mise to upgrade tools with mise upgrade --bump, captures changes as a patch, and opens a pull request with the updates.

N/A

New workflow .github/workflows/upgrade-main.yml:

• Triggers: workflow_dispatch and daily schedule (00:00 UTC).
• Upgrade job: Checkout main, setup mise (with cache), mise install, then mise upgrade --bump; create a patch from any changes and upload it as an artifact.
• PR job: Runs only when there are changes; downloads the patch, applies it, and uses peter-evans/create-pull-request to open a PR from branch github-actions/upgrade-main with the dependencies label.
• Permissions: contents: read for the upgrade job; contents: write and pull-requests: write for the PR job (using GITHUB_TOKEN).
• PR body: Uses the project’s template (summary, Related, Changes, Acknowledgment) and links to the workflow run.

The build workflow with all checks and scanners will run on the created pull request

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

[theagenticguy]

Looks good — clean two-job workflow with proper security posture:

• Top-level permissions locked to none with minimal per-job escalation
• All actions pinned to commit SHAs
• Patch-based artifact handoff between jobs avoids granting write permissions to the upgrade step
• GITHUB_TOKEN scoped appropriately (no PAT needed)
• The build workflow will validate the auto-created PRs

Ship it.

[scottschreckengaust]

do we know if this is necessary?

[scottschreckengaust]

does this need to be here also? Also, there may need to be an update to the pull request validation for users excluded from contribution statements.