Throttle Dependabot: monthly cadence + 1 open PR per ecosystem (cut CI spend)

Author: MelbourneDeveloper

.github/dependabot.yml

@@ -1,45 +1,51 @@
 # Keeps SHA-pinned GitHub Actions and every language dependency fresh.
 # Implements [SWR-SEC-ACTION-PINNING]: each ecosystem groups ALL updates into ONE
 # combined PR per run (patterns: ["*"]) so pinned action SHAs get bumped together
-# instead of one PR per package.
+# instead of one PR per package. Monthly cadence + one-open-PR-per-ecosystem caps
+# CI spend (security updates are exempt from `schedule` and still arrive promptly).
 version: 2
 updates:
   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: weekly
+      interval: monthly
+    open-pull-requests-limit: 1
     groups:
       actions:
         patterns: ["*"]
 
   - package-ecosystem: npm
     directory: /src/Napper.VsCode
     schedule:
-      interval: weekly
+      interval: monthly
+    open-pull-requests-limit: 1
     groups:
       vscode-extension:
         patterns: ["*"]
 
   - package-ecosystem: npm
     directory: /website
     schedule:
-      interval: weekly
+      interval: monthly
+    open-pull-requests-limit: 1
     groups:
       website:
         patterns: ["*"]
 
   - package-ecosystem: nuget
     directory: /
     schedule:
-      interval: weekly
+      interval: monthly
+    open-pull-requests-limit: 1
     groups:
       dotnet:
         patterns: ["*"]
 
   - package-ecosystem: cargo
     directory: /src/Napper.Zed
     schedule:
-      interval: weekly
+      interval: monthly
+    open-pull-requests-limit: 1
     groups:
       zed-extension:
         patterns: ["*"]