chore(security): add Dependabot cooldown, grouped updates, and pin Python deps

[Copilot]

Supply-chain hardening: throttle Dependabot noise, fix github-actions grouping, and lock pipenv installs to the committed lockfile.

dependabot.yml

• Add cooldown: default-days: 3 to both pip and github-actions entries
• Replace github-actions' incorrect production/development groups with a single wildcard group — Actions have no such distinction:

  groups:
    actions:
      patterns: ["*"]

• pip groups (production-dependencies / development-dependencies) left as-is

python-build-test.yml

• Pin pipenv to latest stable (2026.6.1) instead of floating latest
• Switch pipenv install --dev → pipenv sync --dev to install strictly from Pipfile.lock (already committed)

[felickz]

👍 🤖🟢- Tests Pass

[Copilot]

Pull request overview

Supply-chain hardening for the repo's automated dependency tooling: adds a Dependabot cooldown to reduce update churn, corrects the github-actions grouping (Actions don't have production/development dependency types), and tightens the CI install step by pinning pipenv and using pipenv sync against the committed lockfile.

Changes:

• Add a 3-day Dependabot cooldown to both pip and github-actions ecosystems.
• Replace invalid production/development groups for github-actions with a single wildcard actions group.
• Pin pipenv in CI and switch from pipenv install --dev to pipenv sync --dev for reproducible installs.

Show a summary per file

File	Description
.github/dependabot.yml	Adds cooldown to both ecosystems and fixes the github-actions grouping.
.github/workflows/python-build-test.yml	Pins pipenv version and uses pipenv sync --dev against the lockfile.

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 0

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None