add some ignore in dependabot configuration

[olamy]

Signed-off-by: Olivier Lamy [email protected]

Following this checklist to help us incorporate your
contribution quickly and easily:

• Each commit in the pull request should have a meaningful subject line and body.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Run mvn clean install to make sure basic checks pass. A more thorough check will
  be performed on your pull request automatically.
• You have run the integration tests successfully (mvn -Prun-its clean install).

If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.

To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

• I hereby declare this contribution to be licenced under the Apache License Version 2.0, January 2004

• In any other case, please file an Apache Individual Contributor License Agreement.

[Tibor17]

You opened a PR without properly saying why we need to have these changes in depenabot. What happened?
There's a default template but nothing else, rewrite the text. Nobody knows what you are doing and why.

[olamy]

I've added some self-explanatory comments directly in the dependabot.yml file to clarify the rules.
But I'm happy to add even more content here if the comments are not self-explanatory enough.
This is a standard configuration approach for projects with strict baseline requirements (like Java 8).
Without these exclusions, Dependabot would suggest incompatible upgrades, as seen here: #3287 or #3283 .
This setup simply prevents such noise.
I also added exclusions for dependencies like slf4j-api and maven-resolver (with inline comments explaining why). Since these are tied to Maven Core, they cannot be upgraded independently.

[slawekjaranowski]

In most of Maven project we use labels for such things ... so for me will be good to have some conventions, some of commits will have a prefix according to branch, but commits/PR doing manually probably will not have it

[olamy]

Whatever label or prefix, as long as we can see the difference quickly when looking at /pulls. The advantage of a prefix is to see this directly when using gh pr list.
But no real strong opinion.

[olamy]

changed to use label

[slawekjaranowski]

we need to add all labels, so please also add here dependencies and java

[slawekjaranowski]

we also need manually add new label master to https://github.com/apache/maven-surefire/labels
dependabot will not create it

[slawekjaranowski]

please add dependencies and github_actions

[olamy]

done.
sounds weird to have dependencies and github_actions as the same time though.

[slawekjaranowski]

it is default, but when we override default is not used