Forbid dependabot from performing major version bumps

[pnacht]

As requested in #6835 (comment), this PR configures dependabot to ignore major version bumps, reducing the risk of breaking changes.

If you wish, I can instead configure dependabot to send separate PRs with major version bumps. This way, you can easily identify and merge the "easy" minor/patch bumps, but also be notified of major version bumps that may require a bit more attention.

RELEASE NOTES: none

[codecov]

Codecov Report

Merging #6852 (17191aa) into master (d050906) will increase coverage by 83.52%.
Report is 2 commits behind head on master.
The diff coverage is n/a.

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #6852       +/-   ##
===========================================
+ Coverage        0   83.52%   +83.52%     
===========================================
  Files           0      286      +286     
  Lines           0    30801    +30801     
===========================================
+ Hits            0    25726    +25726     
- Misses          0     4008     +4008     
- Partials        0     1067     +1067     

see 286 files with indirect coverage changes

[pnacht]

See the equivalent of #6835 on my fork: pnacht#1, which only performs the minor version bumps, ignoring actions/setup-go.

[dfawley]

If you wish, I can instead configure dependabot to send separate PRs with major version bumps. This way, you can easily identify and merge the "easy" minor/patch bumps, but also be notified of major version bumps that may require a bit more attention.

Sure, that sounds even better, thanks!

[pnacht]

Sorry, I just tried it and it's unfortunately not currently possible, which surprised me...

The issue is tracked in dependabot/dependabot-core#1778.

So I think we'll just have to keep this PR as-is for now.

[dannyskoog]

@pnacht I think it's achievable if you look at https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#example-3 for example.

Basically specifying the update-type under the group instead. And either:

1. Specify minor and patch update-type for the existing group. Which will result in 1 PR per major update
2. Do the same as number 1 but also create an additional group with major update-type. This will result in 1 PR for ALL major updates

And in both alternatives above, minor and patch updates will continue to be grouped in 1 PR as today (just without major updates)