Add protected-files guard to detect-projects job

[Chris-Wolfgang]

Summary

Adds the protected-files guard to the detect-projects job in pr.yaml:

1. Fetch trusted configuration files from main branch — copies workflow / Directory.Build.props / .editorconfig / etc. from main so subsequent CI steps run against the trusted versions, not the PR's.
2. Detect protected configuration file changes — fails the job if the PR modified any of those protected files, prompting a maintainer review.

Mirrors the existing pattern in repo-template/pr.yaml and the other extension repos that already have the guard.

Why this repo was missing it

The "Add .github/workflows/* to protected file detection" rollout that propagated this guard hadn't reached this repo yet. The recent action-upgrade PR merged here without tripping the guard precisely because the guard wasn't installed.

Behavior

• PRs that don't touch .github/workflows/*, Directory.Build.props, etc. are unaffected.
• PRs that DO touch them will fail this job with a clear maintainer-review prompt — the same ergonomics every other repo on this template has.
• Dependabot is exempted (its protected-file bumps are legitimate and trustworthy).

Test plan

• CI passes on this PR (this PR itself touches pr.yaml, so the guard self-trips on first install — CI will fail on Detect .NET Projects. Maintainer reviews the diff and merges.)