fix: add uv to root-level ignore and use explicit paths

[ruromero]

Summary

• Add root-level ignore: [{dependency-name: "*"}] for the uv ecosystem (missed in PR ci: fix dependabot exclusions for non-production ecosystems #431)
• Remove redundant per-directory entries for ecosystems covered by root-level ignore-all
• Replace /** glob patterns with explicit directory listings for maven test fixtures
• Add test fixture dependabot guidance to CONVENTIONS.md

Context

PR #431 added root-level ignore-all for npm, pip, gomod, gradle, cargo but missed uv, causing Dependabot to create security PRs for pyproject.toml files in test fixtures (#439, #440, #441). Glob patterns are replaced with explicit paths since /** doesn't reliably match nested subdirectories for security updates.

Test plan

• Verify uv security PRs (build(deps): bump urllib3 from 1.26.15 to 2.6.3 in /src/test/resources/tst_manifests/pip/pip_pyproject_toml_uv_ignore #439, build(deps): bump werkzeug from 2.2.3 to 3.1.6 in /src/test/resources/tst_manifests/pip/pip_pyproject_toml_uv_ignore #440, build(deps): bump requests from 2.25.1 to 2.33.0 in /src/test/resources/tst_manifests/pip/pip_pyproject_toml_uv_ignore #441) are closed by Dependabot
• Verify no new security PRs appear for test fixture directories
• Verify production maven dependency updates still work normally

🤖 Generated with Claude Code

Summary by Sourcery

Update Dependabot configuration to correctly suppress updates for test fixtures while preserving production maven updates, and document project coding and Dependabot conventions.

Bug Fixes:

• Add root-level ignore-all entry for the uv ecosystem so Dependabot does not open security PRs for uv-based test fixtures.

Enhancements:

• Simplify Dependabot configuration by relying on root-level ignore-all entries for non-maven ecosystems and consolidating cargo configuration.
• Restrict Dependabot handling of maven test fixtures to an explicit list of fixture directories to ensure they are not updated while keeping production maven updates active.

CI:

• Adjust .github/dependabot.yml to correct ecosystem entries and explicitly list maven test fixture directories for suppression.

Documentation:

• Add CONVENTIONS.md to document coding standards, dependencies, and guidance for managing Dependabot suppression of test fixtures.

[sourcery-ai]

Reviewer's Guide

Updates Dependabot configuration to correctly ignore uv-based dependencies and refine test fixture handling, while adding project-wide coding and Dependabot conventions documentation.

Flow diagram for Dependabot decision on updates vs ignored fixtures

flowchart TD
  A[Start: Dependabot scans repository] --> B[Select package ecosystem]

  B --> C{Ecosystem is maven?}

  C -->|No| D[Check root-level ignore-all for this ecosystem]
  D --> E{ignore_all_configured?}
  E -->|Yes| F[Skip all updates including security]
  E -->|No| G[Proceed with normal dependabot behavior]

  C -->|Yes| H[Locate pom.xml file path]
  H --> I{Path matches explicit maven test fixture directory?}
  I -->|Yes| J[Apply per-directory ignore-all]
  J --> F[Skip all updates including security]
  I -->|No| K[Treat as production maven dependency]
  K --> G[Proceed with normal dependabot behavior]

  G --> L[Create or update dependency PRs]
  F --> M[End]
  L --> M[End]

Loading

File-Level Changes

Change	Details	Files
Fix root-level Dependabot ecosystems and extend ignore-all coverage to uv while preserving production ecosystems.	Change the root-level ignore-all entry from gomod to uv so uv dependencies are no longer updated by Dependabot. Shift gomod, gradle, and cargo root-level ignore-all entries down so each ecosystem is still ignored at the repository root. Set an explicit open-pull-requests-limit: 0 for the root-level cargo configuration to fully suppress PR creation.	.github/dependabot.yml
Simplify Dependabot test fixture configuration to rely on root-level ignores for non-maven ecosystems and explicit directories for maven fixtures.	Remove per-directory Dependabot entries for npm, pip, gomod, gradle, and cargo test fixture directories now covered by root-level ignore-all rules. Replace maven /** glob-based directory patterns with an explicit list of directories containing pom.xml files used as test fixtures, to ensure security updates are suppressed reliably. Document that this explicit maven directory list must be updated when new test fixtures are added.	.github/dependabot.yml
Introduce a project-wide conventions document including Dependabot guidance for test fixtures.	Add CONVENTIONS.md with language, style, architecture, testing, dependencies, and commit message conventions for the project. Document how Dependabot suppression should work for test fixtures, distinguishing between root-level ignore-all for non-maven ecosystems and per-directory rules for maven fixtures. (Note: the Test Fixtures section appears duplicated with slightly different wording; reviewers may want to confirm whether both blocks are intended.)	CONVENTIONS.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• CONVENTIONS.md has two ## Test Fixtures sections with slightly different guidance (one still mentioning /** globs) — consider consolidating into a single section that matches the new explicit-directory Maven configuration.
• The root-level Dependabot entries now include open-pull-requests-limit: 0 only for cargo; consider either relying solely on ignore: [{ dependency-name: "*" }] or applying open-pull-requests-limit consistently across ecosystems for clarity.
• In .github/dependabot.yml, the sequence of root-level ecosystems (npm, pip, uv, gomod, gradle, cargo) is now somewhat shuffled; consider reordering them consistently (e.g., alphabetically) to make the config easier to scan and maintain.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- CONVENTIONS.md has two `## Test Fixtures` sections with slightly different guidance (one still mentioning `/**` globs) — consider consolidating into a single section that matches the new explicit-directory Maven configuration.
- The root-level Dependabot entries now include `open-pull-requests-limit: 0` only for `cargo`; consider either relying solely on `ignore: [{ dependency-name: "*" }]` or applying `open-pull-requests-limit` consistently across ecosystems for clarity.
- In `.github/dependabot.yml`, the sequence of root-level ecosystems (npm, pip, uv, gomod, gradle, cargo) is now somewhat shuffled; consider reordering them consistently (e.g., alphabetically) to make the config easier to scan and maintain.

## Individual Comments

### Comment 1
<location path=".github/dependabot.yml" line_range="37" />
<code_context>
     ignore:
       - dependency-name: "*"
-  - package-ecosystem: "gomod"
+  - package-ecosystem: "uv"
     directory: "/"
     schedule:
</code_context>
<issue_to_address>
**issue (bug_risk):** Double-check that Dependabot supports the "uv" ecosystem key in this context.

Dependabot’s docs list ecosystems like `pip`, `npm`, and `gomod`, but not `uv`. Unless you have custom support wired up, this key may be ignored or cause config errors. For Python projects using `uv`, you may still need to use the supported Python ecosystem (e.g., `pip`) or otherwise verify that your environment explicitly supports `uv` here.
</issue_to_address>

### Comment 2
<location path="CONVENTIONS.md" line_range="3" />
<code_context>
+# Coding Conventions
+
+<!-- This file documents project-specific coding standards for exhort-java-api. -->
+
+## Language and Framework
</code_context>
<issue_to_address>
**suggestion (typo):** Project name in the top comment seems inconsistent with the rest of the document.

The HTML comment still names `exhort-java-api`, but the rest of the file uses `trustifyda`. Please update this reference for consistency.

```suggestion
<!-- This file documents project-specific coding standards for trustifyda. -->
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Double-check that Dependabot supports the "uv" ecosystem key in this context.

Dependabot’s docs list ecosystems like pip, npm, and gomod, but not uv. Unless you have custom support wired up, this key may be ignored or cause config errors. For Python projects using uv, you may still need to use the supported Python ecosystem (e.g., pip) or otherwise verify that your environment explicitly supports uv here.

[a-oren]

Duplicate "Test Fixtures" section, this one should be removed