chore(deps): add detection-only dependabot.yml (Renovate sole PR-opener)

[williaby]

Summary

Adds a detection-only .github/dependabot.yml so Renovate remains the sole PR-opener while Dependabot alerts continue serving as the multi-ecosystem detection ledger.

• open-pull-requests-limit: 0 suppresses Dependabot version PRs.
• Dependabot alerts (a separate repo setting) remain on.
• Satisfies the amended CI-021 (refs CI-074).

Ecosystems included (verified against the clone)

• pip — pyproject.toml + uv.lock present
• github-actions — .github/workflows/ present (13 workflow files)

npm and docker blocks omitted (no package.json, no Dockerfile).

Stage 4 Cat A (detection-only) fleet rollout.

Summary by CodeRabbit

• Chores
  • Updated Dependabot configuration to adjust dependency update detection settings.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b6272167-7b6a-4a43-8bba-d2f913729bca

📥 Commits

Reviewing files that changed from the base of the PR and between a007239 and 48e5305.

📒 Files selected for processing (1)

• .github/dependabot.yml

---

📝 Walkthrough

Walkthrough

A new Dependabot configuration file enables detection-only monitoring of Python package and GitHub Actions updates on a weekly schedule, with PR creation disabled via open-pull-requests-limit: 0 set globally and per-ecosystem.

Changes

Dependabot Detection Configuration

Layer / File(s)	Summary
Detection-only Dependabot setup .github/dependabot.yml	Dependabot configuration enables weekly update detection for pip and github-actions ecosystems with open-pull-requests-limit: 0 globally and per-ecosystem to prevent PR creation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

dependencies

Poem

🐰 The watchful rabbit hops through code,
Eyes keen for updates down the road,
Each week it checks both pip and actions bright,
But PR creation? Not today, alright! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: adding a detection-only dependabot.yml configuration file. It is specific, concise, and clearly communicates the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dependabot-detection-only

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

Adds a Dependabot configuration in “detection-only” mode so that Dependabot continues to surface alerts while Renovate remains the only tool opening dependency update PRs.

Changes:

• Introduces .github/dependabot.yml with open-pull-requests-limit: 0 to suppress Dependabot version update PRs.
• Configures detection coverage for pip (repo root) and github-actions (workflows) on a weekly schedule.