Dependabot for plugin template and child plugins

[GenevieveBuckley]

Closes https://github.com/napari/cookiecutter-napari-plugin/issues/120

Dependabot is a useful tool for security updates of dependencies.

It benefits our wider napari plugin ecosystem to make it as easy as possible to keep plugins up to date, and free from known security vulnerabilities.

This PR:

• Adds a .github/dependabot.yml file, to run dependabot on the cookiecutter template repo.
• Adds a {{cookiecutter.plugin_name}}/.github/dependabot.yml file, to run dependabot on the child plugin repo.
• Adds a section to the cookiecutter README.md, explaining how to enable dependabot in your github settings

I modeled the .github/dependabot.yml files on the python example here: https://til.simonwillison.net/github/dependabot-python-setup

Xref: https://github.com/napari/napari-plugin-template/pull/6 (both this PR and the other one are generated from the exact same branch)

[GenevieveBuckley]

Decisions made in the zulip discussion:

• There should be a question about whether users want to add dependabot to their new repositories, similar to the question about whether they want to use pre-commit.
• We will set the dependabot frequency to run as infrequently as possible, currently this is "monthly".
  • Juan would prefer yearly, but dependabot does not support this.
  • If we later find monthly is too frequent for the parent template repository, then we can remove dependabot there and just leave it as an option for users generating new child repos

[GenevieveBuckley]

Not sure what was happening with the flaky CI test (Windows python 3.9). There were a couple of failures there, but I can't reproduce it, and the CI checks have all passed now.