Set a dependabot cooldown.

From Zizmor docs:
> By default, Dependabot does not perform any cooldown on dependency updates. In other words, a regularly scheduled Dependabot run may perform an update on a dependency that was just released moments before the run began. This presents both stability and supply-chain security risks
https://docs.zizmor.sh/audits/#dependabot-cooldown

Author: tim-schilling

.github/dependabot.yml

@@ -11,3 +11,5 @@ updates:
           - "*"  # Group all Actions updates into a single larger pull request
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7