ci: update GitHub Actions and add Dependabot

[stefan-jansen]

Summary

• update GitHub Actions references to current upstream releases
• add a shared Dependabot config for github-actions and pip updates
• standardize workflow dependency maintenance across the repo

Updated actions

• actions/checkout -> v6.0.2
• astral-sh/setup-uv -> v8.1.0
• actions/upload-artifact -> v7.0.1
• actions/download-artifact -> v8.0.1
• pypa/gh-action-pypi-publish -> v1.14.0
• cpina/github-action-push-to-another-repository -> v1.7.3
• codecov/codecov-action -> v6.0.0 (where used)

Validation

• actionlint .github/workflows/*.yml
• git diff --check

[Copilot]

Pull request overview

Updates CI/release/docs GitHub Actions references and introduces a centralized Dependabot configuration to standardize automated dependency maintenance (GitHub Actions + Python) across the repository.

Changes:

• Bump versions for several GitHub Actions used in CI, docs deploy, and release workflows.
• Add .github/dependabot.yml with weekly grouped updates for github-actions and pip.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/release.yml	Updates action versions for build artifact upload/download and PyPI publish/release steps.
.github/workflows/docs.yml	Updates checkout/uv setup actions and bumps the deploy-to-website action version.
.github/workflows/ci.yml	Updates checkout/uv setup and artifact upload action versions in CI jobs.
.github/dependabot.yml	Adds weekly Dependabot updates/groups for GitHub Actions and Python (pip).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

For release publishing, consider pinning pypa/gh-action-pypi-publish to a full commit SHA instead of a version tag. This reduces the blast radius of a compromised/moved tag for a workflow that has permission to publish artifacts to PyPI.

Suggested change

	uses: pypa/gh-action-pypi-publish@v1.14.0
	uses: pypa/gh-action-pypi-publish@<FULL_40_CHARACTER_COMMIT_SHA_FOR_V1_14_0> # v1.14.0

[Copilot]

Dependabot's "pip" ecosystem can update pyproject.toml, but it will not update the committed uv.lock, which can lead to PRs that change version constraints without updating the lockfile (and potentially to CI resolving different deps than what’s committed). Consider either disabling the pip updater, or adding automation/CI checks that regenerate & commit uv.lock as part of dependency-update PRs so the lockfile stays in sync.

Suggested change

	- package-ecosystem: "pip"
	directory: "/"
	schedule:
	interval: "weekly"
	day: "monday"
	time: "06:15"
	timezone: "America/New_York"
	open-pull-requests-limit: 10
	labels:
	- "dependencies"
	- "python"
	commit-message:
	prefix: "deps"
	groups:
	python-dependencies:
	patterns:
	- "*"

[Copilot]

PR description mentions updating codecov/codecov-action “where used”, but there’s no workflow/config in this repo referencing that action (searching the repo turns up no matches). Please either remove that bullet from the PR description or include the missing change if it was intended.

[Copilot]

This workflow uses a third-party action that can push to another repository using an SSH deploy key. For supply-chain hardening, consider pinning cpina/github-action-push-to-another-repository to a full commit SHA (and optionally using GitHub’s allow-listing/pinning guidance) rather than a mutable tag, to reduce the risk of upstream tag compromise.

Suggested change

	uses: cpina/github-action-push-to-another-repository@v1.7.3
	# Pin to the full commit SHA for the v1.7.3 release to avoid mutable tag risk.
	uses: cpina/github-action-push-to-another-repository@<FULL_40_CHARACTER_COMMIT_SHA_FOR_V1.7.3>