docs: cleanup docs guidance, additional workflow hardening

[lelia]

Summary

This PR cleans up customer-facing guidance after the recent release and dependency-process changes, simplifies version management, and hardens review automation for toolchain updates. It also clarifies that Trivy-backed container scanning is temporarily disabled in the prebuilt GitHub Action and Docker image distributions while that dependency path remains under additional review.

Changes

• Refreshes docs to consistently reflect the current published versions and supported usage paths
• Tightens pinning guidance across GitHub Action, Docker, native install, and parameter examples
• Clarifies that Trivy-backed container scanning is temporarily disabled in the prebuilt GitHub Action and Docker distributions while security review is underway
• Makes pyproject.toml the canonical release version source for the new release process, and reintroduces a sync script for derived version files
• Hardens Dependabot handling with allowlists, modest PR queue caps, grouped minor/patch GitHub Actions updates, and a safer PR-based review workflow

Testing

• python3 scripts/sync_release_version.py --check
• YAML parse validation for Dependabot and workflow files