Regen docs/requirements.txt; restrict Dependabot to pyproject.toml

[gunnarvoet]

Summary

• Regenerate docs/requirements.txt via uv pip compile pyproject.toml --group dev --upgrade -o docs/requirements.txt. The file is autogenerated (per its own header), so the right way to update it is regen — not hand-patching individual transitive pins.
• This absorbs the bumps proposed in the open Dependabot PRs Bump fonttools from 4.60.1 to 4.61.0 in /docs #51 (fonttools), Bump urllib3 from 2.5.0 to 2.6.3 in /docs #53 (urllib3), Bump pillow from 12.0.0 to 12.1.1 in /docs #54 (pillow), and goes a bit further on fonttools/pillow because newer releases are now available.
• Add .github/dependabot.yml declaring a single pip ecosystem rooted at /, so Dependabot tracks pyproject.toml direct deps only and stops opening PRs against docs/requirements.txt. Going forward, regenerate the docs lock at release time.

Test plan

• ReadTheDocs build succeeds against the new docs/requirements.txt
• After merge, close Bump fonttools from 4.60.1 to 4.61.0 in /docs #51, Bump urllib3 from 2.5.0 to 2.6.3 in /docs #53, Bump pillow from 12.0.0 to 12.1.1 in /docs #54 as superseded