chore: update all dependencies and configure grouped dependabot

[gijzelaerr]

Summary

Supersedes #581, #582, #583

Updates all dependencies in uv.lock to their latest versions and adds a dependabot.yml configuration with grouped updates.

Problem

Dependabot was creating individual PRs for every single transitive dependency bump in uv.lock (urllib3, virtualenv, filelock, etc.). These are low-risk lockfile-only changes that don't affect the package's published dependencies, but they generate a lot of noise — each one requires review, CI runs, and a merge.

Solution

1. Batch update all dependencies now

Ran uv lock --upgrade to pull in all latest versions at once:

Package	Old	New
filelock	3.20.1	3.24.3
urllib3	2.6.2	2.6.3
virtualenv	20.35.4	21.0.0
ruff	0.14.10	0.15.4
tox	4.32.0	4.46.3
sphinx-rtd-theme	0.5.1	3.1.0
...and more

2. Add .github/dependabot.yml with grouped updates

groups:
  all-dependencies:
    patterns:
      - "*"

This tells Dependabot to batch all uv dependency updates into a single weekly PR instead of creating one PR per package. The same grouping is applied to GitHub Actions updates.

Schedule: weekly on Monday.

How other projects handle this

• Grouping (what we're doing): Dependabot groups all updates into one PR. Simple, built-in, no extra tooling.
• Renovate Bot: More powerful alternative to Dependabot with auto-merge, better grouping, and changelogs. Worth considering if grouped Dependabot still feels noisy.
• Scheduled CI job: Some projects run uv lock --upgrade && commit && PR on a cron schedule via GitHub Actions. More control but more maintenance.

Grouped Dependabot is the simplest approach and is what most uv-based projects use.

Test plan

• uv lock --upgrade succeeds
• Verify CI passes with updated dependencies
• After merge, verify Dependabot creates grouped PRs going forward

🤖 Generated with Claude Code