Pin peribolos image by digest, tracked by Dependabot

[banesullivan]

scripts/run-peribolos.sh pulled us-docker.pkg.dev/k8s-infra-prow/images/peribolos:latest. The tag is mutable: runs are not reproducible, and a compromised upstream image would execute in CI with the org-admin installation token mounted at /etc/github/token.

Pin the image to a digest and route updates through the repo's existing Dependabot hookup so the digest does not drift silently:

• docker/peribolos/Dockerfile holds the pinned FROM line. The Dockerfile is never built; it exists as a single source of truth that Dependabot can watch.
• .github/dependabot.yml gains a docker ecosystem entry pointed at that directory. Dependabot opens a PR when a new digest is available, on the same monthly cadence as the existing github-actions updates.
• scripts/run-peribolos.sh parses the FROM line so the digest lives in exactly one place.

Initial pin:

sha256:6978d5adbb75487cbdb9088eef1437acd8a93a6e75f01abe76c5d0fca853bba8

Digest taken from the image pulled on run 26330237447.

Also enabled Dependabot security updates on the repo (settings toggle, no diff in this PR).