SEAB-6342: Ignore frozen cwltool dependencies

[ll5zh]

Description We want cwltool dependencies to be ignored when Dependabot makes dependency updates.

After taking a look with @denis-yuen, it appeared that package-ecosystem: "pip" was only opening PRs for cwltool dependencies and wasn't actually maintaining Swagger UI dependencies, contrary to what this comment suggests. If this is the case, then removing the pip package manager altogether should get rid of unwanted PRs associated with cwltool dependencies.

Review Instructions Confirm (or deny) that Dependabot's pip updates are solely for cwltool dependencies (which we want to freeze), and that pip can be removed from dependabot.yml.

If we do need to keep the pip package manager: this workaround (suggested in the ticket) involves specifying a directory for Dependabot to ignore (via directory: "/directory-to-exclude"). What would be our "directory-to-exclude", in order to ignore cwltool dependencies?

Issue SEAB-6342

Security and Privacy

If there are any concerns that require extra attention from the security team, highlight them here and check the box when complete.

• [x] Security and Privacy assessed

e.g. Does this change...

• Any user data we collect, or data location?
• Access control, authentication or authorization?
• Encryption features?

Please make sure that you've checked the following before submitting your pull request. Thanks!

• [x] Check that you pass the basic style checks and unit tests by running mvn clean install
• [x] Ensure that the PR targets the correct branch. Check the milestone or fix version of the ticket.
• [x] Follow the existing JPA patterns for queries, using named parameters, to avoid SQL injection
• [x] If you are changing dependencies, check the Snyk status check or the dashboard to ensure you are not introducing new high/critical vulnerabilities
• [x] Assume that inputs to the API can be malicious, and sanitize and/or check for Denial of Service type values, e.g., massive sizes
• [x] Do not serve user-uploaded binary images through the Dockstore API
• [x] Ensure that endpoints that only allow privileged access enforce that with the @RolesAllowed annotation
• [x] Do not create cookies, although this may change in the future
• [x] If this PR is for a user-facing feature, create and link a documentation ticket for this feature (usually in the same milestone as the linked issue). Style points if you create a documentation PR directly and link that instead.

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 74.49%. Comparing base (7347da6) to head (1081bd5).

Additional details and impacted files

```diff @@ Coverage Diff @@ ## develop #5870 +/- ## ========================================== Coverage 74.49% 74.49% Complexity 5244 5244 ========================================== Files 368 368 Lines 18945 18945 Branches 1992 1992 ========================================== Hits 14114 14114 Misses 3880 3880 Partials 951 951 ``` | [Flag](https://app.codecov.io/gh/dockstore/dockstore/pull/5870/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=dockstore) | Coverage Δ | | |---|---|---| | [bitbuckettests](https://app.codecov.io/gh/dockstore/dockstore/pull/5870/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=dockstore) | `27.22% <ø> (-0.02%)` | :arrow_down: | | [integrationtests](https://app.codecov.io/gh/dockstore/dockstore/pull/5870/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=dockstore) | `58.91% <ø> (ø)` | | | [languageparsingtests](https://app.codecov.io/gh/dockstore/dockstore/pull/5870/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=dockstore) | `11.08% <ø> (ø)` | | | [localstacktests](https://app.codecov.io/gh/dockstore/dockstore/pull/5870/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=dockstore) | `21.71% <ø> (ø)` | | | [toolintegrationtests](https://app.codecov.io/gh/dockstore/dockstore/pull/5870/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=dockstore) | `30.62% <ø> (ø)` | | | [unit-tests_and_non-confidential-tests](https://app.codecov.io/gh/dockstore/dockstore/pull/5870/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=dockstore) | `28.58% <ø> (ø)` | | | [workflowintegrationtests](https://app.codecov.io/gh/dockstore/dockstore/pull/5870/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=dockstore) | `38.88% <ø> (ø)` | | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=dockstore#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[denis-yuen]

What would be our "directory-to-exclude", in order to ignore cwltool dependencies?

We'd want to ignore https://github.com/dockstore/dockstore/tree/develop/dockstore-webservice/src/main/resources/requirements/1.13.0 and https://github.com/dockstore/dockstore/tree/develop/dockstore-webservice/src/main/resources/requirements/1.14.0

That said, after looking at that directory, interestingly I see https://github.com/dockstore/dockstore/blob/develop/dockstore-webservice/src/main/resources/requirements/swagger-ui/requirements.properties but because of the way templating is being used, I doubt dependabot will work.

So let's give this a shot