Configure Dependabot for critical dependencies with monthly schedule

[Copilot]

This PR sets up Dependabot to proactively monitor critical dependencies in ref-fvm, providing maintainers with timely notifications about important updates while avoiding excessive noise.

Changes

Updated .github/dependabot.yml to monitor 15 critical dependencies with a monthly schedule:

Security & Performance Critical:

• wasmtime, wasmtime-environ - Core runtime dependencies requiring careful review

Cryptographic Dependencies:

• blake2b_simd, k256, bls-signatures - Important for security updates

Core Serialization & Encoding:

• serde, cid, ipld-core, multihash-codetable, multihash-derive

Filecoin Ecosystem:

• filecoin-proofs-api, fvm-wasm-instrument

IPLD Encoding:

• serde_ipld_dagcbor, serde_repr, serde_tuple

Protocol Utilities:

• unsigned-varint

Approach

• Monthly schedule (reduced from weekly) to balance awareness with noise reduction
• Allowlist approach targeting only the most critical dependencies
• Notification-focused - PRs serve as alerts for planned upgrades rather than auto-merge candidates

This configuration enables proactive dependency management for components that either require careful performance analysis (like wasmtime) or represent security-critical infrastructure, helping maintainers stay ahead of important updates without overwhelming the review process.

Fixes #2188.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• docs.github.com
  • Triggering command: curl -s REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[rvagg]

See notes in #2188, this probably isn't going to work with dependabot the way it is.

[Copilot]

Pull Request Overview

This PR configures Dependabot for the ref-fvm repository to monitor critical dependencies on a monthly schedule, balancing proactive security awareness with reduced notification noise.

• Changes update schedule from weekly to monthly intervals
• Implements an allowlist approach targeting 15 critical dependencies across security, cryptographic, serialization, and Filecoin ecosystem components
• Focuses on notification-based workflow rather than auto-merge for planned upgrades

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The dependency name should be 'wasmtime-environ' with a hyphen, but verify this matches the exact package name in Cargo.toml as Dependabot requires exact naming.

[rvagg]

dependabot/dependabot-core#12780 is merged and I believe we are just waiting on deploy. Latest dependabot in this repo (I re-ran one just today) where it's looking at wasmtime only still says that it's not eligible to update and I believe it's still running the old dependabot version, but update is imminent I hope.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.56%. Comparing base (b73258b) to head (2798ef0).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2194   +/-   ##
=======================================
  Coverage   77.56%   77.56%           
=======================================
  Files         147      147           
  Lines       15789    15789           
=======================================
  Hits        12247    12247           
  Misses       3542     3542           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.