Configurable ignored modules on dependency submission

[rossabaker]

Any Scala 3 build using dependency submission will get 14 useless Dependabot alerts due to stale scaladoc dependencies. I propose a key to ignore a set of modules, to render as the modules-ignore parameter in the GitHub Action.

I already baked this into the plugin at $WORK and can port it here if there's interest, once I confirm that it works.

[armanbilge]

I noticed we've been getting a lot of build-related Dependabot alerts in Cats Effect as well.

So this seems like a good idea, and maybe we can put in some sensible defaults. For example instead of modules-ignore I wonder if we can config-ignore the test, scala-tool, and scala-doc-tool configs. Also, maybe no-publish projects can automatically register themselves with modules-ignore.

[rossabaker]

Our internal plugin sets a default config-ignore (we don't do test, but I like it) to such good effect that consumers don't typically need to configure anything else. But I like your no-publish idea, too.

[rossabaker]

Maybe also doc? mdoc has a stale pdf-box that's a few dependencies deep. I think it would have about the same pros and cons as ignoring test.

[armanbilge]

Does mdoc fall under doc? I thought it might fall under no-publish but I have no idea 🤔

[rossabaker]

Oh, I don't think doc is right. The configuration is called docs, and it doesn't have a classpath. mdoc and its insecure great-great-great grandchild shows up in doc / Compile. The no-publish rule would do what we want here.