ci: Dependabot with exceptions

[SimonRastikian]

Closes #2016

I find it a little concerning that I had to add this many exceptions in upgrades.

[claude]

Code Review

I've reviewed the Dependabot configuration. This looks good overall - all the ignored dependencies have corresponding comments in Cargo.toml explaining why they can't be upgraded.

Configuration Analysis

The ignored dependencies align with the TODO comments and pinning notes in Cargo.toml:

• hyper (Why are we using such an old version of hyper? #1299): Breaking changes in v1.0
• rcgen (update rcgen #2051): Breaking changes
• reqwest (upgrade reqwest to 0.13 #2053): Known upgrade issues
• httpmock: Requires rustc 1.88
• prometheus: Conflicts with nearcore requirements
• rocksdb (Update rocksdb version #690): Blocked until nearcore upgrades
• schemars: Must match near_sdk::schemars
• serde_yaml: Deprecated, needs alternative
• rand family (getrandom, rand, rand_chacha, rand_core) (Update getrandom workspace dep #1907): Must be upgraded together
• time: Requires MSRV 1.88

Minor Suggestions (non-blocking)

1. Target branch is redundant: The target-branch: "main" setting is the default and can be omitted.

2. Cooldown parameter: The cooldown.default-days: 7 with weekly schedule means Dependabot will check weekly but wait 7 days after rejection before re-proposing. This is sensible but consider if you want this behavior (some teams prefer immediate re-proposals on weekly checks).

3. Documentation: Consider adding a comment in this file pointing to the Cargo.toml comments explaining each exception, e.g.:

   # See Cargo.toml [workspace.dependencies] for explanations of ignored dependencies

The PR author's concern about "many exceptions" is understandable, but each one is justified by technical constraints documented in the codebase. This is a pragmatic approach for maintaining dependency hygiene while respecting the project's technical constraints.

✅ Approved - No critical issues. The configuration is safe and aligns with documented dependency constraints.

[gilcu3]

Closes #2099

I find it a little concerning that I had to add this many exceptions in upgrades.

It took me some time to learn, but the PR title should be: ci: added support for Dependabot with exceptions or something similar. feat is only used for new features (that ship in the mpc-node binary for example)

[SimonRastikian]

Haha done it before I saw the message :)

[gilcu3]

Thank you!

[DSharifi]

can you run the action manually once so we can see it works before merging?