chore: add dependabot config and downgrade setup-gradle to v5

[curfew-marathon]

gradle/actions/setup-gradle v6 introduced a licensing change requiring acceptance of new Terms of Use tied to a proprietary caching component. The ToS language is broad and legally ambiguous, raising concerns about IP rights over cached build artifacts (e.g. sources.jar).

Downgrade setup-gradle from v6.0.1 to v5.0.2 in CI workflows and add a dependabot config to block future v6 upgrades until the ToS is clarified.

Description

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• Chores
  • Configured automated monthly dependency updates for project and build dependencies.
  • Updated build tooling version configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 057e1dde-fef0-4d80-abe6-cbe8711b3d2a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Added a new Dependabot configuration enabling monthly dependency updates for Gradle and GitHub Actions with grouped dependencies and selective version ignores. Updated the Setup Gradle GitHub Action version from v6.0.1 to v5.0.2 across multiple workflow jobs.

Changes

Cohort / File(s)	Summary
Dependabot Configuration .github/dependabot.yaml	New v2 Dependabot configuration with monthly update schedules for Gradle (root and /examples/servlet) and GitHub Actions. Implements dependency grouping with wildcard patterns and selective version ignores for com.diffplug.spotless (>= 8.0.0) and gradle/actions/setup-gradle (>= 6.0.0, < 7.0.0).
GitHub Actions Workflow .github/workflows/main.yaml	Downgraded gradle/actions/setup-gradle version from v6.0.1 to v5.0.2 in test, publish-maven-central, and publish-github-packages jobs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• fix: replace gradle/wrapper-validation-action with gradle/actions/setup-gradle in test job #147: Modifies the same gradle/actions/setup-gradle GitHub Action version in .github/workflows/main.yaml.
• chore(ci): make dependabot updates grouped & weekly #130: Updates Dependabot configuration in the same file with grouped updates and per-path ignores.

Suggested reviewers

• ttrzeng
• ewanharris

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: adding a dependabot config and downgrading setup-gradle to v5, matching the actual file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dependabot-ignore-setup-gradle-v6

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates CI to avoid gradle/actions/setup-gradle v6 (per the PR description’s ToS concerns) by pinning workflows back to v5 and introducing a Dependabot rule intended to prevent future v6 upgrades.

Changes:

• Downgrade gradle/actions/setup-gradle in the main CI workflow from v6.0.1 to v5.0.2 (pinned by SHA).
• Add a Dependabot configuration intended to ignore gradle/actions/setup-gradle v6 updates (but currently introduced as a second config file).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/main.yaml	Pins gradle/actions/setup-gradle back to v5.0.2 across all jobs that use it.
.github/dependabot.yaml	Adds Dependabot rules (notably ignoring setup-gradle v6), but duplicates an existing .github/dependabot.yml.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.