Sync upstream repository template changes and apply dependabot version updates

[m-houston]

Description

Context

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I am familiar with the contributing guidelines
• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming

• This PR includes code generated by a coding agent

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

[Copilot]

Pull request overview

Synchronizes this repository with upstream template changes and Dependabot updates, primarily by modernizing CI/CD workflows and hardening helper scripts used in development/CI.

Changes:

• Updated multiple GitHub Actions workflows/actions to newer actions/*, ossf/scorecard-action, and AWS credential action revisions.
• Improved Docker helper scripts (stricter required env var checks; safer variable scoping; adjusted clean behavior).
• Updated docs Ruby dependencies in docs/Gemfile.lock.

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
scripts/githooks/check-todos.sh	Refreshes TODO scanning hook docs/behavior and argument handling.
scripts/docker/docker.mk	Changes clean target behavior based on whether DOCKER_IMAGE is set.
scripts/docker/docker.lib.sh	Adds env-var validation, tightens scoping, and adjusts docker clean/build/push helpers.
docs/Gemfile.lock	Bumps Ruby gem versions used for docs.
.github/workflows/stage-4-acceptance.yaml	Updates checkout action pin used during acceptance stage jobs.
.github/workflows/stage-3-build.yaml	Updates checkout/upload-artifact versions used in build stage jobs.
.github/workflows/stage-2-test.yaml	Updates checkout/upload-artifact versions used in test stage jobs.
.github/workflows/stage-1-commit.yaml	Updates checkout versions used in commit stage jobs.
.github/workflows/scorecard.yml	Updates scorecard workflow action pins (checkout, scorecard-action, upload-artifact).
.github/workflows/scheduled-repository-template-sync.yaml	Updates checkout action pin for scheduled template sync.
.github/workflows/pr_closed.yaml	Updates checkout version used in PR-closed workflow jobs.
.github/workflows/cicd-3-deploy.yaml	Updates checkout/upload-artifact versions and adjusts a TODO comment.
.github/workflows/cicd-1-pull-request.yaml	Updates checkout version used in CI/CD pull-request workflow.
.github/scripts/dispatch_internal_repo_workflow.sh	Adds CLI arg validation + improves jq payload construction for workflow dispatch.
.github/actions/scan-dependencies/action.yaml	Updates artifact upload + AWS credentials action pins for dependency scanning.
.github/actions/create-lines-of-code-report/action.yaml	Updates artifact upload + AWS credentials action pins for LOC reporting.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.