chore(deps): add Dependabot for actions, docker, pip, and npm (#147)

* chore(deps): add Dependabot for actions, docker, pip, and npm

Enables automated version monitoring across all ecosystems:
- github-actions: bumps SHA-pinned actions with tag comments
- docker: bumps base image digests in agent/Dockerfile
- pip: bumps Python deps in agent/pyproject.toml + uv.lock
- npm: bumps JS deps across yarn workspaces (cdk, cli, docs)

Groups related packages (AWS CDK, OpenTelemetry, ESLint, Jest)
to reduce PR noise. Weekly schedule, Monday.

Refs #104

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): schedule dependabot runs on Saturday

Saturday avoids Monday-morning PR flood and respects UTC→eastern
hemisphere dateline (Sunday UTC can be Monday locally).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): group all updates into single PR per ecosystem

Each ecosystem produces at most 1 PR per week (all updates bundled).
CI tests catch incompatibilities — no need for per-package isolation.
Reduces PR fatigue from 10-20 individual PRs to max 4 per week.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): ecosystem name in commit prefix, limit to 1 open PR each

Commit messages now read: chore(deps): github-actions bump ...,
chore(deps): docker bump ..., chore(deps): pip bump ...,
chore(deps): npm bump ...

Limit 1 open PR per ecosystem — if last week's isn't merged, no new
one is created (forces resolution before accumulating stale PRs).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): shorten actions prefix

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): add discoverability comments for directory-scoped ecosystems

Dependabot does not support glob patterns for directories — pip and
docker require explicit paths. Comments note where to add entries
if new manifests appear outside /agent.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore(deps): use glob directories and uv ecosystem

- Switch docker and python from explicit directory to `directories: ["**/*"]`
  for automatic discovery of manifests anywhere in the repo
- Switch from `pip` to `uv` ecosystem (native uv.lock support)
- Switch npm to glob directories for consistency
- Keep github-actions on `directory: "/"` (workflows always in one place)

Pattern validated against awslabs/mcp which uses identical config
across 43+ Dockerfiles successfully.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: bgagent <345885+scottschreckengaust@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: scottschreckengaust

.github/dependabot.yml

@@ -0,0 +1,53 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "saturday"
+    commit-message:
+      prefix: "chore(deps): actions"
+    open-pull-requests-limit: 1
+    groups:
+      all-actions:
+        patterns: ["*"]
+
+  - package-ecosystem: "docker"
+    directories:
+      - "**/*"
+    schedule:
+      interval: "weekly"
+      day: "saturday"
+    commit-message:
+      prefix: "chore(deps): docker"
+    open-pull-requests-limit: 1
+    groups:
+      all-docker:
+        patterns: ["*"]
+
+  - package-ecosystem: "uv"
+    directories:
+      - "**/*"
+    schedule:
+      interval: "weekly"
+      day: "saturday"
+    commit-message:
+      prefix: "chore(deps): uv"
+    open-pull-requests-limit: 1
+    groups:
+      all-python:
+        patterns: ["*"]
+
+  - package-ecosystem: "npm"
+    directories:
+      - "**/*"
+    schedule:
+      interval: "weekly"
+      day: "saturday"
+    commit-message:
+      prefix: "chore(deps): npm"
+    open-pull-requests-limit: 1
+    groups:
+      all-npm:
+        patterns: ["*"]