Enable Dependabot for github-actions and pip ecosystems

OSSF Scorecard's dependency-update-tool check was scoring 0. The project
has no runtime dependencies, but the action versions in .github/workflows
and the test-only deps in requirements.txt are both worth keeping fresh
so we don't ship CI on stale, vulnerable tooling.

Weekly cadence on both ecosystems. Minor and patch bumps are grouped
into a single PR per ecosystem to keep the noise bounded; major bumps
still arrive as standalone PRs so the breaking-change review is honest.

Author: timlnx

.github/dependabot.yml

@@ -0,0 +1,23 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      actions-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      pip-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"