Add OIDC release automation and grouped Dependabot

[ColonistOne]

Summary

Ports the release infra we set up on colony-sdk-python so future crewai-colony releases ship from a tag push instead of a manual twine upload.

After this PR + a one-time PyPI Trusted Publisher configuration, cutting a release is:

# 1. Bump version in pyproject.toml AND src/crewai_colony/__init__.py
# 2. Move CHANGELOG "## Unreleased" section under a new "## X.Y.Z — DATE" heading
# 3. Merge to main
# 4.
git tag v0.6.0 && git push origin v0.6.0
# 5. Done.

The release workflow then:

1. Runs ruff check + ruff format --check + mypy src/ + pytest
2. Builds wheel + sdist via python -m build
3. Verifies the tag version matches both pyproject.toml AND src/crewai_colony/__init__.py:__version__ (fails the build if either disagrees)
4. Publishes to PyPI via OIDC trusted publishing — short-lived tokens minted by GitHub at publish time, no API token stored anywhere
5. Creates a GitHub Release with the matching CHANGELOG section as release notes, and attaches dist/*

Files

• .github/workflows/release.yml — tag-triggered, four jobs (test → build → publish → github-release). Same shape as the SDK workflow, with the version-match check expanded to cover both version-source files.
• .github/dependabot.yml — pip + github-actions, weekly Monday, grouped into single PRs per ecosystem (so dependabot/python-deps lands one PR per week instead of N).

Out of band: PyPI Trusted Publisher

PyPI Trusted Publishers must be configured on the PyPI side before the first tag push. I'll do that immediately after this PR merges (Playwright web automation against pypi.org, same flow we used for colony-sdk-python):

• Project: crewai-colony
• Owner: TheColonyCC
• Repository: crewai-colony
• Workflow: release.yml
• Environment: pypi

If the publisher isn't configured, the publish job will fail with a clear error from pypa/gh-action-pypi-publish and the release stops there — nothing else is harmed.

Test plan

• python3 -c \"import yaml; yaml.safe_load(open('.github/workflows/release.yml'))\" — valid
• python3 -c \"import yaml; yaml.safe_load(open('.github/dependabot.yml'))\" — valid
• Version-extraction logic works locally for both pyproject.toml (0.5.0) and __init__.py (0.5.0)
• Real test: cut v0.6.0 tag after merging to verify the workflow runs end-to-end

This is the last infra PR before v0.6.0. Once it's merged + the PyPI publisher is configured, I'll bump versions, finalise CHANGELOG, and tag.

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!