Attempt to configure lockfile-only dependabot strategy

[ml-evs]

After this PR, ideally, dependabot will keep ticking over and updating our lock files with the latest versions compatible with our pyproject.toml.

There will then be a second job that lets us know of new major incompatible versions; we can treat these on a case-by-case basis and roll the changes out ourselves, based on the dependabot PRs.

I am hoping the dependabot config is flexible enough for this, otherwise we will have to rewrite lots of the constraints from our pyproject into the dependabot config file, for now.

Dependabot groups are also magic to me, my guess is that for the pip ecosystem, any dependency under the extra dev is treated as development, and all the rest are production, but thats not entirely clear to me yet (and its not documented).

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 68.12%. Comparing base (9688763) to head (a71e00a). Report is 1 commits behind head on main.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #853 +/- ## ======================================= Coverage 68.12% 68.12% ======================================= Files 62 62 Lines 3884 3884 ======================================= Hits 2646 2646 Misses 1238 1238 ```