Add Dependabot configuration for automated dependency and GitHub Actions updates

[Copilot]

This PR adds a comprehensive Dependabot configuration to automatically keep the VS Code extension's npm dependencies and GitHub Actions up-to-date.

What's Added

• .github/dependabot.yml - Complete configuration file for automated dependency management

Configuration Features

📅 Update Schedule

• Weekly dependency checks every Monday at 04:00 UTC
• Prevents overwhelming maintainers with daily updates while keeping dependencies reasonably current

🛡️ Smart Safety Controls

• Major version protection: Ignores major version updates for critical dependencies (typescript, @types/vscode, vscode) to prevent breaking changes
• Pull request limits: Maximum of 10 open npm dependency PRs and 5 GitHub Actions PRs to avoid repository clutter
• Automatic assignment: All dependency PRs are assigned to the repository owner for review

📦 Dual Ecosystem Support

• npm Dependencies: Monitors package.json for Node.js dependency updates
• GitHub Actions: Monitors workflow files for action version updates
• Security updates: Handled automatically by Dependabot with higher priority (no special grouping needed)
• Minor/patch updates: Non-security minor and patch updates are grouped together to reduce PR noise and maintenance overhead

🏷️ Organization & Tracking

• Consistent labeling with dependencies, npm, and github-actions labels for easy filtering
• Proper commit message formatting with npm: and github-actions: prefixes and scope inclusion
• Automatic reviewer assignment for accountability

Benefits

1. Security: Automatic security updates help maintain a secure codebase
2. Maintenance reduction: Grouping reduces the number of PRs to review
3. Stability: Major version updates require manual review to prevent breaking changes
4. Comprehensive coverage: Monitors both npm dependencies and GitHub Actions workflows
5. Visibility: Clear labeling and assignment ensure dependency updates don't go unnoticed

This configuration strikes a balance between keeping dependencies current and maintaining stability, ensuring the extension continues to work reliably while staying secure and up-to-date across both npm packages and GitHub Actions.

Resolves the request to automatically update used dependencies in the repository.

Warning

update.code.visualstudio.com

• Triggering command: node /home/REDACTED/work/github-copilot-token-usage/github-copilot-token-usage/node_modules/.bin/vscode-test (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Fixes #5

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add Dependabot config to the repo</issue_title>
<issue_description>Automatically update the used dependencies. </issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #5

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[rajbos]

@copilot remove the package.json from this changeset, that change is not needed. Dynamic files should not be added to the changesets when you write that code!

Also add support for the github-actions ecosystem.

[Copilot]

@copilot remove the package.json from this changeset, that change is not needed. Dynamic files should not be added to the changesets when you write that code!

Also add support for the `github-actio...

✅ Done! I've addressed both requests:

1. Removed package-lock.json changes: The dynamic package-lock.json file is no longer in the changeset
2. Added GitHub Actions ecosystem: Dependabot now monitors workflow files for action updates with appropriate configuration

The updated configuration includes both npm and github-actions ecosystems with consistent scheduling, labeling, and safety controls. Changes committed in 8fca5c1.

[rajbos]

@copilot address this error:

Your .github/dependabot.yml contained invalid details
Dependabot encountered the following error when parsing your .github/dependabot.yml:

The property '#/updates/0/groups/security-updates/update-types/0' value "security" did not match one of the following values: major, minor, patch
Please upda

[Copilot]

@copilot address this error:

Your .github/dependabot.yml contained invalid details
...

✅ Fixed! The Dependabot configuration error has been resolved:

Issue: "security" is not a valid update-types value
Solution: Removed the invalid security-updates group that used "security" as an update-type

What changed:

• Removed the invalid security-updates group configuration
• Security updates are still handled automatically by Dependabot (they get higher priority by default)
• Only valid update-types remain: "minor" and "patch" in the grouping configuration

The configuration is now valid and should work correctly. Changes committed in a307d61.