ci: group dependabot updates and add 3-day cooldown

- Add groups (patterns: ["*"]) to composer, github-actions, and npm
  ecosystems so each produces at most one PR per update cycle
- Add cooldown: default-days: 3 to all ecosystems to defer updates by
  3 days after package publication, reducing supply-chain attack risk

Author: akunzai

.github/dependabot.yml

@@ -4,11 +4,31 @@ updates:
     directory: /
     schedule:
       interval: monthly
+    cooldown:
+      default-days: 3
+    groups:
+      composer-all:
+        patterns:
+          - "*"
+
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: monthly
+    cooldown:
+      default-days: 3
+    groups:
+      actions-all:
+        patterns:
+          - "*"
+
   - package-ecosystem: npm
     directory: /e2e
     schedule:
       interval: monthly
+    cooldown:
+      default-days: 3
+    groups:
+      npm-all:
+        patterns:
+          - "*"