fix: auto-approval and refine dependabot policy

[jgoux]

What changed

This updates our Dependabot policy to reduce routine dependency-update noise while keeping minor and patch updates moving automatically.

• Configure Dependabot to run weekly on Tuesday at 09:00 Europe/Paris for both github-actions and bun
• Group all minor and patch updates per ecosystem:
  • one GitHub Actions update PR
  • one Bun dependency update PR
• Keep major updates ungrouped so Dependabot opens individual PRs for manual review
• Reduce routine open Dependabot PRs to one per ecosystem
• Add cooldown windows so Dependabot avoids immediately chasing fresh releases:
  • 7 days for minor updates
  • 2 days for patch updates
• Update the Dependabot automerge workflow to generate a GitHub App token before approving PRs
• Auto-approve and enable automerge only for patch and minor updates, including 0.x minors
• Leave major update PRs for human review and merge

Why

Dependabot was not able to approve/automerge PRs using the default token. This follows the GitHub App token pattern recommended by security, while also tuning Dependabot for a better signal-to-noise ratio.

The resulting behavior is:

• minor/patch updates are batched weekly and can merge after CI passes
• major updates still appear, but individually and without automerge
• security updates remain handled by Dependabot/GitHub outside the routine grouping policy