ci: clean up Dependabot config and apply pending action bumps

Bring the post-v0.1.0 Dependabot work into one commit:

  * Remove duplicate `/.github/workflows` ecosystem entry — the
    github-actions ecosystem at `/` already recursively scans
    `.github/workflows/`, so the second entry was producing two
    PRs per action.

  * Add `groups.actions-minor` so future Monday-morning runs roll
    minor and patch bumps into one grouped PR. Majors still arrive
    as individual PRs because they're more likely to need review.

  * Apply the four pending major bumps left outstanding when
    v0.1.0 shipped (all four target tags verified to exist):

      actions/checkout              v5      -> v6
      actions/upload-artifact       v4      -> v7
      softprops/action-gh-release   v2      -> v3
      azure/trusted-signing-action  v0.5.1  -> v2

    The original Dependabot PRs got closed when v0.1.0 was
    force-pushed and their head branches deleted; Dependabot
    refuses to re-propose under its already-closed dedup rule,
    so applying them directly was the only path forward.

trusted-signing-action@v2 isn't exercised by CI until the
AZURE_TRUSTED_SIGNING_* repo secrets are configured. The pin is
current; behavior only changes once signing is wired up.

Author: imanimanyara

.github/dependabot.yml

@@ -1,7 +1,9 @@
 version: 2
 
 updates:
-  # GitHub Actions used in this repo's workflows.
+  # GitHub Actions. Dependabot's github-actions ecosystem at directory `/`
+  # already scans `.github/workflows/` recursively — a second entry pointed
+  # at `/.github/workflows` would duplicate every PR.
   - package-ecosystem: github-actions
     directory: /
     schedule:
@@ -16,19 +18,11 @@ updates:
     labels:
       - dependencies
       - github-actions
-
-  # Catches updates to the workflow files under .github/workflows/.
-  - package-ecosystem: github-actions
-    directory: /.github/workflows
-    schedule:
-      interval: weekly
-      day: monday
-      time: "06:00"
-      timezone: America/New_York
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: ci
-      include: scope
-    labels:
-      - dependencies
-      - github-actions
+    groups:
+      # Roll patch/minor updates together so we don't get five PRs every
+      # Monday for routine actions/* version bumps. Majors stay separate.
+      actions-minor:
+        applies-to: version-updates
+        update-types:
+          - minor
+          - patch

.github/workflows/ci.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
 
@@ -82,14 +82,14 @@ jobs:
 
       - name: Upload Pester results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: pester-results
           path: pester-results.xml
           if-no-files-found: warn
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: claude-code-install-manager-unsigned
           path: |

.github/workflows/release.yml

@@ -50,7 +50,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: ${{ github.event.inputs.ref || github.ref }}
           persist-credentials: false
@@ -132,7 +132,7 @@ jobs:
 
       - name: Sign with Azure Trusted Signing
         if: steps.signmode.outputs.mode == 'azure'
-        uses: azure/trusted-signing-action@v0.5.1
+        uses: azure/trusted-signing-action@v2
         with:
           azure-tenant-id:        ${{ secrets.AZURE_TENANT_ID }}
           azure-client-id:        ${{ secrets.AZURE_CLIENT_ID }}
@@ -190,15 +190,15 @@ jobs:
           "name=$name" | Add-Content -Path $env:GITHUB_OUTPUT
 
       - name: Upload artifacts to workflow run
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ steps.zip.outputs.name }}
           path: ${{ steps.zip.outputs.zip }}
           if-no-files-found: error
 
       - name: Create / update GitHub Release
         if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           tag_name: ${{ steps.ver.outputs.tag }}
           name:     "Claude Code Install Manager ${{ steps.ver.outputs.version }}"