Restrict Dependabot updates to direct dependencies

Configure Dependabot to only open pull requests for direct dependencies,
reducing noise from transitive updates and keeping changes more relevant and
easier to review.

Approach recommended in GOV.UK Developer Docs.

https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#dependency-type-allow

Author: AgaDufrat

.github/dependabot.yml

@@ -6,6 +6,8 @@ updates:
       interval: weekly
       day: tuesday
       time: "07:00"
+    allow:
+      - dependency-type: direct
     ignore:
       - dependency-name: pact
         versions: [ ">=2.0.0" ]