[MINOR] chore(.github): group dependabot security updates by path

[jongyoul]

What is this PR for?

Group Dependabot security updates by exact path so the current burst of one-off security PRs can be regenerated as grouped PRs instead.

This configuration intentionally keeps non-security version updates disabled with open-pull-requests-limit: 0, so it only affects grouped security updates and does not start regular version-update PRs for these directories.

Covered paths:

• /docs
• /zeppelin-web
• /zeppelin-web-angular
• /dev
• /
• /alluxio
• /bigquery
• /elasticsearch
• /flink/flink-scala-2.12
• /livy
• /rlang
• /shell
• /spark/interpreter
• /spark/spark-scala-parent
• /zeppelin-interpreter
• /zeppelin-plugins/launcher/docker
• /zeppelin-plugins/launcher/k8s-standard
• /zeppelin-plugins/notebookrepo/s3

First time? Check out the contributing guide - https://zeppelin.apache.org/contribution/contributions.html

What type of PR is it?

Improvement

Todos

• Add .github/dependabot.yml for the targeted directories
• Verify the configured directory names match the repository
• Expand coverage to the remaining open Dependabot security-update paths
• Clarify that the config is intentionally security-updates-only

What is the Jira issue?

None. Minor maintenance change.

How should this be tested?

• Confirm .github/dependabot.yml is valid YAML.
• Confirm each configured directory exists in the repository.
• After merge, verify Dependabot opens grouped security update PRs for the listed paths.

Screenshots (if appropriate)

N/A

Questions:

• Does the license files need to update? No.
• Is there breaking changes for older versions? No.
• Does this needs documentation? No.

[Copilot]

Pull request overview

Adds a Dependabot configuration to group security update PRs by top-level path so each of /docs, /zeppelin-web, and /zeppelin-web-angular receives a single grouped security-update PR instead of many individual PRs.

Changes:

• Introduces .github/dependabot.yml with update entries for Bundler (/docs) and npm (/zeppelin-web, /zeppelin-web-angular)
• Configures Dependabot grouping for security updates using groups: … applies-to: security-updates

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jongyoul]

@tbonelee @ParkGyeongTae Could you please help review it? 🙏

[tbonelee]

I agree with the direction overall, but I just have one question. What were the criteria for deciding which directories were selected and which were not?

[jongyoul]

It depends on the separate situation. Hopefully, we might have directory basis but we need to modify time to time until we get the final consensus. Therefore, it's not a final decision but the beginning.

[tbonelee]

Thanks for the clarification. I understand the direction, and I agree with this approach.

[jongyoul]

Merged into master (28e9aa7).