ci: add dependabot for npm, www, and github actions

[jal-co]

What

Adds Dependabot version updates and ensures its PRs pass CI:

1. .github/dependabot.yml — weekly updates for all three ecosystems.
2. .github/cchk.toml — adds ignore_authors to the [branch] section so commit-check doesn't reject Dependabot's branches.

Why

The repo has three dependency surfaces with no automated update path: the root CLI (package-lock.json), the website (www/pnpm-lock.yaml), and the GitHub Actions used in workflows. Dependabot keeps them current and surfaces security patches.

Without the cchk.toml change, every Dependabot PR would fail the commit-check branch check — Dependabot opens PRs from dependabot/* branches, which don't match the Conventional Branch types. I verified this locally (a dependabot/... branch returns [FAIL]). Adding ignore_authors to [branch] bypasses the branch check for the bot, the same way it's already bypassed for commit messages.

Closes #

Type

• ci — CI/CD changes

How

• Ecosystems: npm at / (CLI), npm at /www (pnpm lockfile — Dependabot's npm ecosystem handles pnpm), and github-actions at /.
• Noise control: each ecosystem groups minor/patch updates into a single weekly PR (Monday).
• CI compatibility: commit messages use Conventional Commit prefixes (chore(deps): / ci(deps):) so they pass allow_commit_types; labels (chore, ci, website) come from the existing label set.
• Branch bypass: ignore_authors = ["dependabot[bot]", "renovate[bot]", "copilot[bot]"] added to [branch] (previously only under [commit]).

Testing

• Verified a dependabot/* branch fails the branch check today (confirms the fix is needed)
• commit-check --branch / --message — pass on this PR
• npm run lint — passes · npm test — 62/62 pass
• No application code changed.

Screenshots

N/A — CI configuration.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
scn-stack	Ready	Preview, Comment	May 31, 2026 2:34am