feat: weekly CG alerts scan workflow for vulnerable NuGet dependencies

[Copilot]

Adds a scheduled GitHub Actions workflow that scans all NuGet dependencies (direct and transitive) for known CVEs, auto-applies fixes where possible, and opens a PR + tracking issue with the results.

Workflow: .github/workflows/security-vulnerability-scan.yml

Triggers: weekly (Monday 09:00 UTC) + workflow_dispatch

Scan

• Bootstraps the pinned .NET SDK via restore.sh
• Temporarily adds nuget.org to NuGet.config (repo normally clears all sources in favor of internal AzDO feeds) to get vulnerability metadata
• Runs dotnet list package --vulnerable --include-transitive --format json across all .slnf solution filters; merges results with jq

Auto-fix logic

Package location	Action
Hardcoded version in Directory.Packages.props / test/Directory.Packages.props	Update in place
MSBuild property reference (e.g. $(SQLitePCLRawVersion))	Update property in eng/Versions.props
Transitive dep absent from any props file	Add <PackageVersion> pin (uses CentralPackageTransitivePinningEnabled)
Listed in eng/Version.Details.xml	Skip — Maestro-managed; flagged for manual review

Fix versions are resolved by querying the GitHub Security Advisory GraphQL API (firstPatchedVersion per GHSA ID).

Output

• Commits fixes to cg-alerts/vuln-fix-<date>, opens a PR
• Creates/updates a tracking issue (label: CG-alerts-scan) with a markdown table covering severity, current/patched versions, advisory links, and reason for any skipped packages
• Auto-closes the tracking issue when a clean scan is detected