Make dependency alerts the default signal for the campaign workflow

[Copilot]

This updates the campaign workflow to treat dependency security alerts as the default source of work instead of assuming Dependabot PRs come first. The docs now describe PR-first handling as an explicit opt-in via dependency-source: auto.

• Workflow default

  • changes dependency-source from auto to alerts in dependabot-campaign
  • updates the input description to reflect the new alerts-first default

• Runtime guidance

  • clarifies in the workflow prompt that callers should only use PR-first behavior when they explicitly want it
  • keeps auto and prs available for repositories that still center their flow on Dependabot PRs

• Documentation

  • updates the README signal-mode guidance so the recommended default matches the workflow behavior

dependency-source:
  description: Which dependency signals to process. Use alerts for the new default, or choose auto to prefer PRs when they are present.
  required: false
  default: alerts
  type: string