add dependabot comments, and ignore dependabot branches and paths

.github/dependabot.yml

@@ -1,15 +1,30 @@
+---
 # To get started with Dependabot version updates, you'll need to specify which
 # package ecosystems to update and where the package manifests are located.
 # Please see the documentation for all configuration options:
 # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
 
 version: 2
 updates:
+  # Docker: Dependabot can add metadata from Docker images to pull requests for version updates.
+  # The metadata includes release notes, changelogs and the commit history.
+  # Repository administrators can use the metadata to quickly evaluate the stability risk of the dependency update.
+  # In order for Dependabot to fetch Docker metadata,
+  # maintainers of Docker images must add the `org.opencontainers.image.source` label to their Dockerfile,
+  # and include the URL of the source repository.
+  # Additionally, maintainers must tag the repository with the same tags as the published Docker images
   - package-ecosystem: docker    # See documentation for possible values https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem
     directory: "/"    # Location of package manifests
     schedule:
       interval: weekly
+  # Maven: Dependabot doesn't run Maven but supports updates to pom.xml files.
   - package-ecosystem: maven    # See documentation for possible values https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem
     directory: "/"    # Location of package manifests
     schedule:
       interval: weekly
+  # GitHub Actions: Dependabot only supports updates to GitHub Actions using the GitHub repository syntax,
+  # such as actions/checkout@v4. Docker Hub and GitHub Packages Container registry URLs are currently not supported.
+  - package-ecosystem: github-actions    # See documentation for possible values https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem
+    directory: "/"    # Location of package manifests
+    schedule:
+      interval: weekly

.github/workflows/build.yml

@@ -3,12 +3,16 @@ name: Build demoapp-backend
 
 # Events: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
 on:
+  # Run workflow on push except for ignored branches and paths
   push:
-    branches:
-      - main
-      - release/.*
+    # Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot
+    branches-ignore:
+      - 'dependabot/**'
+      - 'cherry-pick-*'
     paths-ignore:
       - '**.md'
+      - '.github/dependabot.yml'
+  # Allow user to manually trigger Workflow execution
   workflow_dispatch:
 jobs:
   lint:

.github/workflows/code-analysis.yml

@@ -0,0 +1,38 @@
+---
+name: CodeQL Scan
+
+# Events: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
+on:
+  # Run workflow on push except for ignored branches
+  push:
+    # Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot
+    branches-ignore:
+      - 'dependabot/**'
+      - 'cherry-pick-*'
+    paths-ignore:
+      - '.github/dependabot.yml'
+  # Run workflow on pull request
+  pull_request:    # By default, a workflow only runs when a pull_request event's activity type is opened, synchronize, or reopened
+
+# Run a single job at a time: https://docs.github.com/en/actions/using-jobs/using-concurrency
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+# Set Workflow-level permissions: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+permissions:
+  contents: read
+
+jobs:
+  codeql:
+    runs-on: ubuntu-latest    # GitHub-hosted runners: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources
+    permissions:
+      actions: read    # for github/codeql-action/init to get workflow details
+      contents: read    # for actions/checkout to fetch code
+      security-events: write    # for github/codeql-action/autobuild to send a status report
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4    # https://github.com/marketplace/actions/checkout
+
+      - name: Initialize CodeQL
+        uses:     # https://github.com/github/codeql-action

docs/repository-configuration/README.md

@@ -0,0 +1,13 @@
+# Repository Configuration
+
+This section guides you on how this repository was setup
+
+
+## Code Analysis/Scanning
+### Configuring repository for GitHub CodeQL
+[CodeQL](https://codeql.github.com/docs/codeql-overview/about-codeql/) is the analysis engine used by developers to automate security checks, and by security researchers to perform variant analysis.
+
+In CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code. You can run the standard CodeQL queries, written by GitHub researchers and community contributors, or write your own to use in custom analyses. Queries that find potential bugs highlight the result directly in the source file.
+
+See steps on [Configuring default setup for a repository](https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#configuring-default-setup-for-a-repository)
+