Old check evaluated steps.meta.outputs.update-type which only reflects
the first dependency in a grouped PR. A grouped PR with one minor dep
+ several major-bump deps would auto-merge unattended.

Incident 2026-05-04: Operational-Dashboard PR #7 (grouped runtime-deps)
included astro 5→6, tailwind 3→4, TS 5→6. Auto-merged. CF Workers Build
rejected the resulting peer-dep tree, dashboard.umbrellaitgroup.com
went down.

New check additionally requires
  steps.meta.outputs.dependency-major-versions-changed == ''
which is non-empty when ANY dep in the group has a major bump.
Major-bump PRs get labeled 'needs-review,major-version' so they
don't sit silently.

Bumps fetch-metadata to v3 if not already.