From 4bd05c7d8f559bed400f359fc59b0b7d39ee766f Mon Sep 17 00:00:00 2001
From: Sander Saares <sander@saares.eu>
Date: Tue, 31 Mar 2026 16:45:32 +0300
Subject: [PATCH] chore: suppress Dependabot minor/patch version bump PRs for
 Cargo deps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ignore semver-minor and semver-patch Cargo dependency updates. Only
major version bumps and security fixes will create PRs.

Includes a comment linking to dependabot-core#4009 — if Cargo gains
support for increase-if-necessary, the ignore rules can be replaced
with that strategy for better 0.x handling.

Also documents the feature branch workflow convention in AGENTS.md.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/dependabot.yml | 18 +++++++++++++-----
 AGENTS.md              |  4 ++++
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7487fb314..4de54a0a5 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -10,12 +10,20 @@ updates:
   commit-message:
     prefix: "chore: "
   ignore:
-    # ignore minor updates for tokio as they are semver compatible
-    - dependency-name: "tokio"
-      versions: ["1.x"]
-    # ignore patch updates for all dependencies
+    # Ignore all minor and patch updates — security updates are handled separately
+    # by Dependabot security alerts and are not affected by these ignore rules.
+    #
+    # Ideally we would use versioning-strategy: increase-if-necessary to allow
+    # minor bumps that only touch Cargo.lock (respecting Cargo's 0.x semver
+    # conventions). However, Cargo only supports "auto" and "lockfile-only" —
+    # see https://github.com/dependabot/dependabot-core/issues/4009
+    # If that issue is resolved, replace these ignore rules with:
+    #   versioning-strategy: increase-if-necessary
+    #   ignore patch updates only
     - dependency-name: "*"
-      update-types: ["version-update:semver-patch"]
+      update-types:
+        - "version-update:semver-minor"
+        - "version-update:semver-patch"
 
 - package-ecosystem: "github-actions"
   directory: "/"
diff --git a/AGENTS.md b/AGENTS.md
index cb8e0d092..e9e93f2a9 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -2,6 +2,10 @@
 
 Code in this repository should follow the guidelines specified in the [Microsoft Rust Guidelines](https://microsoft.github.io/rust-guidelines/agents/all.txt).
 
+## Branching
+
+Never commit directly to `main`. Always create a feature branch, push it, and open a pull request.
+
 ## README Files
 
 Crate README files are auto-generated via `just readme`. Do not manually update them.