chore(deps): add dependabot dependency grouping

[thgaskell]

Summary

Adds dependency grouping to .github/dependabot.yml to consolidate related updates into fewer PRs. Currently, dependabot creates separate PRs for the same dependency across all 15 directories (e.g. 8 identical vite bump PRs for a single release).

Also fixes the ignore rule to allow patch updates. The existing config was blocking both major and patch, leaving only minor updates.

Groups

Group	Patterns	Reasoning
build-tools	vite*, @vitejs/*	Biggest pain point. 8 duplicate vite PRs per release. Plugin versions track vite versions, so co-updating prevents build mismatches. Also matches vite-plugin-pwa.
testing	vitest*, @vitest/*, @testing-library/*, jsdom	These form a single test runtime (vitest runs on jsdom, testing-library renders into it). Version mismatches between testing-library and its DOM dependency cause subtle test failures.
react-ecosystem	react, react-dom, react-router*	react and react-dom must always match versions. Router included because major/minor versions often depend on specific React versions.
linting	eslint*, prettier*	Dev-only tools with no runtime impact. ESLint plugins have peer dependency constraints on eslint core, so co-updating is safer.
workbox	workbox-*	Without grouping, a single Workbox release creates many duplicate PRs.

What's intentionally ungrouped

Unique dependencies like dexie, @tanstack/react-table, msw, @trussworks/react-uswds, and @babel/* are left ungrouped — they either appear in few directories (no PR spam) or are unrelated (no safety benefit from co-updating).

Note

This overlaps with PR #717 on the ignore rule fix (removing patch from ignore list). Whichever merges first is fine.

Test plan

• Verify YAML syntax is valid
• After merge, check that next Thursday's dependabot run produces grouped PRs instead of individual ones")