dependabot: apply cooldown except for action reviews

[raboof]

Fixes #683

Sadly GHA are not so easy to test, so this might take some rounds to get right :)

[potiuk]

Sadly GHA are not so easy to test, so this might take some rounds to get right :)

Try claude.... (and not joking about it) - for things like renaming workflows etc. It's actually very good in findng all the places that needs to get updated :)

[raboof]

Fixed a few things, now seems OK to me.

That "Verify Dependabot Action Build" is skipped makes sense since this is not a dependabot PR
That "Check for transitive failures in current latest actions" fails is expected, that's #606

[potiuk]

Following up on my earlier review — turning the actionable items into inline suggestions. Three of these (the using: "composite" header, the update_composite_action.yml typo, and the open-pull-requests-limit: 50 placement) are blockers in my opinion; the rest are polish.

[potiuk]

Re-review on e488982 — all three blockers and every polish item from the previous pass are addressed. Confirmed against the new HEAD:

Blockers

• ✅ gateway/gateway.py:183 — using: "composite" is now in the header literal.
• ✅ update_composite_action.yml — the singular/plural mismatch is resolved by renaming the file (the opposite direction from my suggestion, which works just as well since the in-file references are now consistent).
• ✅ .github/dependabot.yml — open-pull-requests-limit: 50 moved onto the allowlist-review block.

Polish

• ✅ update_refs: dummy_steps → composite_steps (signature + docstring + body).
• ✅ update_actions: docstring Path to the dummy workflow file → Path to the composite action file.
• ✅ update_workflow: dummy_path → composite_action_path, docstring updated, and write_str call fixed to match.
• ✅ Bonus: name: Update Dummy workflow → name: Update Approved Patterns and Composite Action.

Still open (non-blocking, from the prose review)

• cpp-linter/cpp-linter-action >=2.16 ignore: is only on the allowlist-review block. In practice it's fine today (the action isn't uses:-d anywhere in the real workflow tree), but if that ever changes the ignore won't apply — worth a durable comment or a duplicated ignore: on the second block.
• The leafo/gh-actions-luarocks re-ordering in actions.yml is unrelated to the cooldown refactor. Consider splitting it out for a cleaner history, or at least calling it out in the PR description.
• Optional: a one-line snapshot test asserting 'using: "composite"' in generate_composite_action({}) so the regression caught here cannot sneak back in.

LGTM apart from those nits.