chore: add semver cooldowns to dependabot configuration and fix tycho-version tracking

[Copilot]

The existing dependabot config lacked cooldowns, causing noisy PRs from freshly released packages, was missing the bundler ecosystem entry for /_doc, and the tycho-version was defined only in .mvn/maven.config where Dependabot cannot see it.

Changes

• Cooldowns added to maven and bundler ecosystems: patch/minor: 3 days, major: 30 days — mirrors the bndtools/bnd approach
• bundler ecosystem added targeting /_doc (where Gemfile lives)
• github-actions intentionally left without cooldown — action updates are low-risk and desirable promptly
• tycho-version moved from .mvn/maven.config (-Dtycho-version=5.0.2) into pom.xml <properties> — Dependabot's Maven scanner only reads pom.xml, so the version was previously invisible to it

cooldown:
  semver-patch-days: 3
  semver-minor-days: 3
  semver-major-days: 30

[peterkir]

@copilot
is the tycho version -Dtycho-version=5.0.2 inside .mvn/maven.config also considered by dependabot configuration?

[Copilot]

@copilot
is the tycho version -Dtycho-version=5.0.2 inside .mvn/maven.config also considered by dependabot configuration?

No — -Dtycho-version=5.0.2 in .mvn/maven.config is not tracked by Dependabot. Its Maven scanner only parses pom.xml files, so a version defined solely as a -D command-line flag is invisible to it.

Fixed in commit fix: move tycho-version from maven.config to pom.xml properties for Dependabot tracking:

• Added <tycho-version>5.0.2</tycho-version> to the <properties> block in pom.xml (all plugins already reference ${tycho-version}, so no other changes needed there)
• Removed the -Dtycho-version=5.0.2 line from .mvn/maven.config (since .mvn/maven.config doesn't support Maven property interpolation, the cleanest solution is to define the property directly in pom.xml)

Dependabot will now detect and update org.eclipse.tycho plugin versions via the pom.xml property.