ci: tweak Dependabot settings

[pjonsson]

Related Issue(s):

• Excessive CI permissions #1618

Description:

Pinning actions by hash will cause
Dependabot to make more pull requests.
Reduce the interval to a weekly interval
and group all the action updates into
a single pull request to keep the amount
manageable.

Also add a cooldown of 10 days,
so the community has a chance to find
compromised releases before Dependabot
makes a pull request out of it.

PR Checklist:

• Pre-commit hooks pass (run pre-commit run --all-files)
• Tests pass (run pytest)
• Documentation has been updated to reflect changes, if applicable
• This PR maintains or improves overall codebase code coverage
• This PR's title is formatted per conventional commits

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.22%. Comparing base (6d50403) to head (3a30b1a).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1620   +/-   ##
=======================================
  Coverage   92.22%   92.22%           
=======================================
  Files          55       55           
  Lines        8414     8414           
  Branches      973      973           
=======================================
  Hits         7760     7760           
  Misses        466      466           
  Partials      188      188           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pjonsson]

My experience is that Dependabot gets a bit spammy when pinning actions by hash, so I have reduced the frequency and grouped all updates into a single PR. I'm not the one getting the notifications for new pull requests in this repository so I don't have an opinion on the settings themselves, if you want a lot of pull requests I'm happy to leave these settings as they are.

I think having a cooldown is a good idea though; it doesn't guarantee anything, but if something gets compromised, the cooldown at least gives a chance for someone else to detect the problem before getting a pull request to this repository.

[gadomski]

I don't see any version pins here?

The dependabot tweaks make sense to me.

[pjonsson]

I don't see any version pins here?

The pins are in #1619, not sure why it didn't close the issue when that PR was merged.

I separated the Dependabot changes to a separate PR since I didn't want them to get in the way of avoiding supply chain attacks.