chore: dependabot config (5 ecosystems, weekly)

[adamgell]

Why

Pairs with #52 (cargo-audit weekly scan): audit catches CVEs/advisories on pinned versions, dependabot keeps the pins themselves moving so we don't sit on stale deps. Together they form the inbound supply-chain hygiene loop.

What's covered

Five ecosystems, all weekly (Monday 06:00), 5 PR/ecosystem cap, auto-assigned to @adamgell, labeled dependencies:

Ecosystem	Directory	Commit prefix	Grouping
cargo	/ (workspace root)	cargo:	patch updates grouped, minor/major individual
cargo	/cmtrace-wasm (self-hosting workspace)	cargo:	patch updates grouped, minor/major individual
npm	/	npm:	dev-dependencies grouped, runtime individual
docker	/crates/api-server	docker:	catches rust:1.90-slim-bookworm + gcr.io/distroless/cc-debian12 bumps
github-actions	/	ci:	pin updates for actions/checkout, dtolnay/rust-toolchain, etc.

Expected PR volume

• First cycle: 5-15 PRs is normal as dependabot catches up on accumulated drift.
• Steady state: 1-3 PRs/week (mostly grouped patch bumps + the occasional minor).

Notes

• @adamgell is auto-assigned to every PR (review queue surface).
• target-branch omitted -> defaults to main.
• Cron staggered to Monday morning so the review batch lands at start of week.

Reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

[Copilot]

Pull request overview

Adds a Dependabot version-updates configuration to keep dependencies across multiple ecosystems moving on a predictable weekly cadence, complementing the weekly cargo-audit scan from #52.

Changes:

• Configure weekly Dependabot updates for Cargo (root + cmtrace-wasm) with grouped patch bumps.
• Configure weekly Dependabot updates for npm (root) with grouped dev-dependency bumps.
• Configure weekly Dependabot updates for Docker (crates/api-server) and GitHub Actions (root).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.