Update Dependabot to ignore patch updates

[jbangelo]

We tend to get a bunch of patch updates to dependencies , which can create a lot of pointless noise in the commit history. Since we have security scans enabled, it should be fine to skip over patch updates until we see encounter a bug that requires an update.

This also adds a reviewer to the Dependabot PRs, so that we can get them reviewed and merged in a timely fashion.

[Copilot]

PR Overview

This PR updates the Dependabot configuration to reduce noise by ignoring patch updates for dependencies and to streamline reviews by automatically assigning a reviewer.

• Adds a reviewers list with "jbangelo"
• Introduces a general ignore rule for patch updates across all dependencies
• Retains specific pinned version rules for vergen and skips a specific version of curl

Reviewed Changes

File	Description
.github/dependabot.yml	Updated configuration to reduce patch update noise and assign reviewers

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

[john-michaelburke]

you could probably throw a group on there like the quality group or something unless you'd prefer to be blasted on your own. Seems like we could benefit from like a generic rust reviewer group which you could use for things like this

[pcrumley]

I hear where you are coming from but this is a little heavy handed in your approach.

at the very least dependabot knows security updates vs patch and we should allow those. I also think it is nice to group updates to avoid spam. I found this setting works well for my rust repos:

---
version: 2
updates:
  - package-ecosystem: "cargo"
    directory: "/"
    schedule:
      interval: "daily"
    groups:
      minor-and-patch:
        applies-to: version-updates
        update-types:
          - patch
          - minor
      security-updates:
        applies-to: security-updates
        update-types:
          - patch
          - minor
  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: weekly

[pcrumley]

actually this already only affects version-updates. sorry for being trigger happy with changes requested. I think it makes sense to group instead of disabling if you are worried about git log spam but this is fine as is if you are happy with it.

[jbangelo]

Maybe doing less often checks in addition to grouping them together would be the right path forward?

[pcrumley]

@jbangelo that's what I would recommend, but i don't feel strongly about it. You don't have to merge the PRs in right away and dependabot will just add new ones to the group, so i don't find the daily checks too annoying, i just merge them in like once every couple weeks

[pcrumley]

fyi there isn't really a good reason to keep vergen pinned at version three, other than the breaking change is confusing to fix. Luckily i did that for other rust tools awhile back, and I updated ntripping to the latest vergen version in line with other rust tools we have: #272

[jbangelo]

you could probably throw a group on there like the quality group or something unless you'd prefer to be blasted on your own. Seems like we could benefit from like a generic rust reviewer group which you could use for things like this

Changed out me for the @swift-nav/open-source group, just had to make sure we had added that team to this repo.