Prevent unnecessary composer package downloads

[driskell]

This PR prevents all installations of packages during composer updates. It significantly increases speed of updates.

This was discussed in #2999 and should help greatly with #2416.

Previous PR was #2998 and I closed it as I thought there was issues with this approach, as https://github.com/wikimedia/composer-merge-plugin stopped working. After rechecking with existing dependabot-core main branch I did see setScripts is false already and was able to reproduce the merge-plugin issue there. Having thought about it I think it's unreasonable to support that plugin in dependabot - even if the packages merged in weren't removed there would still be incompatibility in that packages merged in won't get dependabot updates. So I've produced this PR again as it was for discussion.

Credit should also go to @jurre here as it's a progression from #3009.

[feelepxyz]

Amazing work on this! 🎉 I think this looks good, will give it a quick QA test locally to verify.

Thanks for updating the tests, not raising for these cases is a real nice improvement.

[jurre]

This seems very promising, thanks @driskell 🎉

@feelepxyz do you need a hand w/ QAing?

[feelepxyz]

Tested this out a few test repos and working nicely! Double win here, speeding up composer v2 updates and removing a class of update errors where downloads needed authentication 🎉

This is in line with other package managers so great to see this working in composer now.