Fix ignore option for gitsubmodule

[etan-status]

Dependabot has an ignore option to exclude certain version ranges from update proposals. However, for gitsubmodule ecosystem these options get ignored, effectively making it impossible to track the latest HEAD when release tags are present on the current branch.

With this fix, it becomes possible to opt out of release tracking:

updates:
  - package-ecosystem: "gitsubmodule"
    directory: "/"
    schedule:
      interval: "daily"
    ignore:
      - dependency-name: "*"
        versions: ["> 0.0.0"]

What are you trying to accomplish?

Fixes #1639 (comment)

Anything you want to highlight for special attention from reviewers?

This is essentially a fix for pre-existing functionality of Dependabot that simply wasn't properly routed to gitsubmodule.

How will you know you've accomplished your goal?

Added a new test that covers the "> 0.0.0" case specifically.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Routes Dependabot’s standard ignore (and related) update-checker options through the git_submodules ecosystem so users can opt out of release/tag tracking (e.g., to follow the latest branch HEAD even when tags are present).

Changes:

• Pass ignored_versions, security_advisories, raise_on_ignored, and dependency_files into the GitSubmodules LatestVersionFinder.
• Apply ignored-version filtering in LatestVersionFinder#latest_tag.
• Add specs covering the "> 0.0.0" ignore behavior and the “all versions ignored” (nil / AllVersionsIgnored) cases.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
git_submodules/lib/dependabot/git_submodules/update_checker.rb	Forwards ignore/security/raise options into LatestVersionFinder so GitSubmodules honors standard update-checker behavior.
git_submodules/lib/dependabot/git_submodules/update_checker/latest_version_finder.rb	Applies filter_ignored_versions when computing the latest tag.
git_submodules/spec/dependabot/git_submodules/update_checker/latest_version_finder_spec.rb	Adds coverage for ignored versions affecting tag selection and for “all versions ignored” behavior.

Comments suppressed due to low confidence (1)

git_submodules/lib/dependabot/git_submodules/update_checker/latest_version_finder.rb:31

• The comment about falling back to the current tag when there are no releases after filters is misleading: apply_post_fetch_latest_versions_filter returns early when releases.empty?, so no fallback is applied (and latest_tag becomes nil). Consider updating the comment to match the actual behavior (especially now that ignored_versions can legitimately filter everything), or adjusting the method if the intended behavior is to always include the current tag as a fallback candidate.

          releases = filter_by_cooldown(T.must(releases))
          releases = filter_ignored_versions(releases)

          # if there are no releases after applying filters, we fallback to the current tag to avoid empty results
          releases = apply_post_fetch_latest_versions_filter(releases)
          releases.max_by(&:version)&.tag
        end