fix(deps): hold Spring Boot/Framework/Gradle majors until starter certifies

[jlc488]

Summary

Dependabot opened 18 individual PRs (#19-#36) to bump every demo from Spring Boot 3.5.3 → 4.0.6 (major) and Gradle wrapper 8.10.2 → 9.5.1 (major). The grouped PRs from the same run worked fine (e.g. #18 spring-boot patch/minor across 9 dirs); what didn't was that Dependabot's default group semantics exclude `version-update:semver-major`, so majors escaped grouping and landed as individual PRs per demo.

Beyond the queue noise, the real problem is that the demos must mirror the Spring Boot baseline each starter was certified against — per the easy-paging README:

Spring Boot 3.3+ on Java 21+ (built/tested against 3.5)

`easy-paging-spring-boot-starter` has not (yet) published a release certified against Spring Boot 4 / Spring Framework 7 / Jakarta EE 11. Auto-bumping demos to SB4 would silently advertise an unverified combination to anyone who clones a demo as a starting point.

Change

Adds an `ignore` block holding majors for:

Pattern	Why hold
`org.springframework.boot:*`	The BOM driver — moving it majors everything
`io.spring.dependency-management`	Coupled to SB plugin
`org.springframework:*`	Transitively pulled in; majors can land off the SB cadence
`org.springframework.cloud:*`	Same
`gradle` (wrapper)	Each major needs hand verification of deprecations-now-errors before going green across 9 demos

Patch/minor bumps still flow through (and group correctly — PR #18 already proved that path), so security fixes within the 3.5.x line land normally.

When to lift

When each starter publishes a SB4-compatible release line (e.g. `easy-paging-spring-boot-starter:0.5.0`), this ignore block gets relaxed for that specific starter family, and the demos get upgraded together in one intentional PR per starter — not piecemeal by a robot.

Follow-up cleanup (manual, after this merges)

• ✅ Merge PR build(deps)(deps): bump the spring-boot group across 9 directories with 1 update #18 (grouped patch/minor across 9 demos) — already proven correct group path
• ✅ Merge PRs build(ci)(deps): bump gradle/actions from 4 to 6 #14-build(ci)(deps): bump actions/setup-java from 4 to 5 #17 (github-actions minors) — inside policy
• ❌ Close PRs build(deps)(deps): bump org.springframework.boot from 3.5.3 to 4.0.6 in /easy-paging-demo #19-build(deps)(deps): bump gradle-wrapper from 8.10.2 to 9.5.1 in /ssrf-guard-springai-demo #36 (18 stragglers) — the new policy guarantees they won't reappear on the next Dependabot run

Verification

Config-only change. CI `detect` job should identify zero demos changed (no `*-demo/` paths touched), build job correctly skipped.

YAML parse + structure check passed locally:

• 9 directories preserved
• 5 ignore rules (the new block)
• 5 groups preserved (easy-paging, ssrf-guard, spring-boot, test-tooling, database-drivers)

Test plan

• CI green (detect → no demos → build skipped)
• After merge, follow up with the 4 merges + 18 closes listed above
• Next weekly Dependabot run (next Monday 09:00 KST) does NOT re-open any SB-major or Gradle-major PRs