chore: narrow dependabot to github-actions only 🔧

[damsleth]

Summary

Replaces the broad npm/docker/github-actions dependabot config (#1388) with a github-actions-only setup.

Why

The initial broad config produced 12+ PRs in a single sweep, several already failing CI on real incompatibilities (Apollo, FluentUI, ESLint, TypeScript, Babel groups). For a production multi-tenant SaaS, weekly application-dep auto-bumps are net-negative triage cost. The security value comes from CVE patches, not from chasing minor version churn.

New strategy

Source	Cadence	Coverage
This config	weekly	github-actions only (rarely break, often CVE-relevant)
GitHub native "Dependabot security updates" (repo Settings -> Code security)	event-driven	npm + docker + everything else, CVE-only
chore/deps-YYYY-MM branches	manual, periodic	npm + docker version updates, batched, locally verified

This is also superseding #1407 (which added a node major-bump ignore to the docker ecosystem) - the docker ecosystem is gone entirely, so the ignore rule isn't needed.

⚠️ Required follow-ups

• Repo Settings -> Code security -> verify Dependabot alerts and Dependabot security updates are both enabled (this is the safety net for CVEs after we removed npm/docker from the config)
• Close chore: pin node docker base image to its major version 🔧 #1407 as superseded by this PR
• Close the in-flight noisy PRs: chore(deps): bump docker/login-action from 3 to 4 #1390-1394, chore(deps): bump the fluentui group across 1 directory with 4 updates #1396-1406 (will do in this PR's merge commit via comment, or by hand)

Test plan

• Dependabot's next scheduled run (next Monday 06:00 Europe/Oslo) opens only github-actions PRs, not npm/docker
• Security alerts still fire for genuine CVEs (test by checking the Security tab)