GitHub automatically opts all qualifying repos in for security
updates, but this gets overwritten by the presence of a
`dependabot.yml` file, which we have in most repos. We’ll
therefore need to edit the Dependabot config to fix security
related PRs not being raised.

It’s not immediately clear from the docs exactly what’s needed
to opt in, but we believe our use of an allow-list may be the
issue.

We get some value from configuring Dependabot to raise fewer PRs
(i.e. only update the dependencies we care about), but we need
security updates for _all_ dependencies, so this commit is an
attempt to write a rule that allows security PRs but won’t affect
the rest of our config.

See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file

Trello: https://trello.com/c/nqliwwxV/2952-investigate-how-to-fix-dependabot-not-raising-security-prs

We think Brakeman is only raising security PRs for direct
dependencies, so if a security vulnerability exists in a
subdependency, we're not getting PRs. This commit should fix that.

Bumps [brakeman](https://github.com/presidentbeef/brakeman) from 5.2.1 to 5.2.3.
- [Release notes](https://github.com/presidentbeef/brakeman/releases)
- [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md)
- [Commits](presidentbeef/brakeman@v5.2.1...v5.2.3)

---
updated-dependencies:
- dependency-name: brakeman
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Bumps [gds-api-adapters](https://github.com/alphagov/gds-api-adapters) from 81.0.3 to 81.0.4.
- [Release notes](https://github.com/alphagov/gds-api-adapters/releases)
- [Changelog](https://github.com/alphagov/gds-api-adapters/blob/main/CHANGELOG.md)
- [Commits](alphagov/gds-api-adapters@v81.0.3...v81.0.4)

---
updated-dependencies:
- dependency-name: gds-api-adapters
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

This only defines whether we want to get PRs for subdependencies
of brakeman.

According to [the docs](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#target-branch),
Dependabot will ignore the configs in dependabot.yml for security
PRs, if a target-branch has been set to something other than the
default branch.

I'm hoping to accomplish two things with these changes:

1) Allow security PRs through again (even if they are for
   dependencies not on the `allow` list)
2) Have a way of distinguishing between security and non security
   related PRs (by the absence of the new `not-security` label).

Apart from the verbosity of the config, this does cause one new
issue: what to do with the `latest-dependencies` branch (we'll
definitely have to automate merging that to `main`, or at least
automate opening a PR to `main`). We'll also need to figure out
what happens if the `latest-dependencies` branch has not been
created yet.

This was fixed in #1064.
An ActiveRecord vulnerability existed which was fixed by a patch
in Rails.

By removing it, I'm hoping Dependabot will raise a PR to patch
Rails again.
This time, however, I've also removed Rails (and related gems)
from the allow-list, which previously would have stopped the
security PR from being raised.

Now that we have the `target-branch` workaround, I'm hoping the
PR will be raised.
I will need to recreate the `latest-dependencies` branch from this
branch first, and then trigger a Dependabot scan.

Bump brakeman from 5.2.1 to 5.2.3

…pters-81.0.4

Bump gds-api-adapters from 81.0.3 to 81.0.4