Improve dependabot experience

[legoktm]

Currently dependabot opens a PR for each individual package in each component, creating a giant spam of updates that is IMO unmanagable.

• Part of this will be taken care of by consolidating dependencies when possible (#1773).
• One other idea I've considered is just having one poetry project with all the dependencies as separate groups, so at the end of the day there is only one lock file. Seems doable with some sd-builder tooling updates.
• dependabot supports grouped updates: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups so we can have one PR per-component. Note that security updates will still get individual PRs.
• what I really want is https://github.com/dependabot/dependabot-core/issues/1595 in which the same package is upgraded in lock-step across all the components.
• there's also some third-party solutions like https://marcreichel.dev/blog/combine-dependabot-pull-requests to combine stuff.

I'll at least start with grouped updates since that's officially supported and will cut down on the package spam.