ci: automate python security updates

[eeaton]

Add a GitHub Action to automate python dependency updates that resolve security alerts.

• Dependabot will track available updates for the python libraries and raise a PR when an upgrade would resolve a new security alert. Usually we can't merge these updates as-is, because dependabot fixes a single dependency in one location that may or may not work with the structure of how we generate python requirements dynamically.
• When conditions are met, (push to branch matching dependabot or renovate bot) the automation added by this PR will run ./invoke.sh lock --upgrade then push an additional commit with the complete set of updated and validated dependencies.
• This PR only triggers on branches matching the syntax created by dependabot, so it will not interfere with unrelated branches we raise for different features. The actions require approval from someone with write access to the repo before they can run, mitigating the risk of untrusted code running in Actions. This has been tested on a forked version of the repo to verify that Action successfully runs on branches matching the pattern, and does not run on other branches.