chore: setup dependabot

[jeanscherf]

Description

Configures Dependabot for security-only updates.

Changes:

• .github/dependabot.yml: Ignore all regular version updates (major, minor, patch) for pip dependencies. Dependabot Security Updates bypass these rules and will still create PRs when CVEs are detected.

Why: We use the compatible release operator (~=) in pyproject.toml to pin patch versions. Regular Dependabot version update PRs propose bumps outside these constraints, creating noise. By relying on Dependabot Security Updates, we still receive automatic PRs for CVE fixes while maintaining intentional version control.

Related Issue

N/A

Type of Change

Please check the relevant option:

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Code refactoring
• Dependency update

How to Test

1. Verify .github/dependabot.yml has ignore rules for all semver update types
2. Confirm Dependabot Security Updates are enabled in Settings → Code security and analysis

Checklist

Before submitting your PR, please review and check the following:

• I have read the Contributing Guidelines
• I have verified that my changes solve the issue
• I have added/updated automated tests to cover my changes
• All tests pass locally
• I have verified that my code follows the Code Guidelines
• I have updated documentation (if applicable)
• I have added type hints for all public APIs
• My code does not contain sensitive information (credentials, tokens, etc.)
• I have followed Conventional Commits for commit messages

Breaking Changes

N/A - This is a configuration change only.