ci: add Dependabot for GitHub Actions and Swift deps

[BlackHole1]

What

Adds .github/dependabot.yml to automate dependency updates across the project's two dependency surfaces:

• GitHub Actions — the actions pinned in the ci / nightly / release / build-publish workflows.
• Swift packages — Sparkle, KeyboardShortcuts, PermissionFlow. Dependabot's xcodeproj support discovers the pins in the Xcode project bundle (LockIME.xcodeproj/.../Package.resolved); no top-level Package.swift is required.

Config choices

• Daily checks for both ecosystems.
• Grouped into one PR per ecosystem to cut review noise.
• 3-day cooldown (cooldown.default-days: 3) so a malicious or broken release has time to be caught/yanked before it lands. Cooldown delays version updates only — security (CVE) updates still open immediately. (Swift supports per-semver-tier cooldown too; Actions supports only the flat default-days.)
• Commit prefixes follow the repo's Conventional Commits convention (ci(deps) for Actions, build(deps) for Swift).

Note

Dependabot loads this config only after it is merged into the default branch (main).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 605dc915-0c80-47e5-8e98-8eeceed51f92

📥 Commits

Reviewing files that changed from the base of the PR and between 476a4d2 and 9296668.

📒 Files selected for processing (1)

• .github/dependabot.yml

---

Summary by CodeRabbit

• Chores
  • Added automated dependency update settings for workflow and Swift package updates.
  • Updates are checked daily, with a short delay before new version PRs are opened.
  • Commit messages now use clearer prefixes based on update type.

Walkthrough

A new .github/dependabot.yml file is added to the repository, configuring Dependabot v2 for two package ecosystems. GitHub Actions dependencies (scanned at / within .github/workflows/) and Swift Package Manager dependencies (scanned at /) are each scheduled for daily update checks. Both ecosystems apply a 3-day cooldown before version-update PRs are opened, group all packages via a wildcard pattern, and use ecosystem-specific commit message prefixes: ci for GitHub Actions and build for Swift, with dependency scope included.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the PR’s Dependabot update for GitHub Actions and Swift dependencies, and it follows the required type: subject format.
Description check	✅ Passed	The description is directly about adding Dependabot config for the same dependency surfaces and update policy.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch ci/dependabot

---

_{Comment @coderabbitai help to get the list of available commands.}