Modernize CI: harden workflow, replace JSON validator, add dependabot

[cblecker]

Summary

• Harden GitHub Actions workflow: Add permissions: contents: read (least-privilege), upgrade actions/checkout to v6 with persist-credentials: false
• Replace JSON validator: Swap the unmaintained docker://orrosenblatt/validate-json-action:latest container for check-jsonschema (from the python-jsonschema org — maintainers of the reference Python JSON Schema implementation)
• Add dependabot config: Automated weekly PRs to keep GitHub Actions versions current

Schema change detail

The email regex pattern in schema.json contained \! — a backslash-escaped exclamation mark. The ! character is not a special regex character and does not need escaping. Per ECMA-262 (the JavaScript regex standard), \! is technically an invalid escape sequence.

The old validator (AJV, via the Docker action) was lenient about this and silently treated \! as !. check-jsonschema correctly rejects the invalid escape per the spec. The fix is simply removing the unnecessary backslash: \! → !.

There is no behavioral change — both \! (where tolerated) and ! match the literal ! character. The set of valid/invalid email strings matched by the pattern is identical before and after this change.

- "pattern": "^[^\\s@]+\\![^\\s@]+\\.[^\\s@]+$"
+ "pattern": "^[^\\s@]+![^\\s@]+\\.[^\\s@]+$"

Verification

• check-jsonschema --schemafile schema.json people.json passes locally against the current people.json

Test plan

• CI workflow runs successfully on this PR (the workflow itself validates the schema)
• Review validate.yml for correctness
• Review schema.json pattern change
• Review dependabot.yml config