github: add dependabot configuration file

[umarcor]

Close #907

Dependabot was an external service for keeping dependencies up to date. It was bought by GitHub, and it's now a built-in service which integrates with security updates. See https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically.

In April, GitHub announced that the external service (Dependabot Preview) is to be shut down in August: https://github.blog/2021-04-29-goodbye-dependabot-preview-hello-dependabot/.

This PR adds a dependabot configuration file for checking go dependencies weekly.

Note that this features does NOT auto-merge. It will open PRs, but maintainers will need to merge them, or bump the dependencies otherwise.

Refs: #1420 #1406 #1404 #1364

[umarcor]

This PR now checks outdated github-actions too. Ref #1453.

/cc @mmorel-35

[mmorel-35]

Out of curiosity, why extending the limit of pr to 99 ?

[umarcor]

Out of curiosity, why extending the limit of pr to 99 ?

By default, dependabot will open a limited number of PRs (can't remember whether it's 4 or 10). Therefore, when more than those need to be updated, you don't get to see the big picture. You keep resolving/merging them but you don't know when will it finish. By setting the limit to a large number, you know it will show all the dependencies that can be updated today (or this week, or this month). Then you can see potential conflicts and decide the order you want to follow for merging.

It is arguable whether having a low limit is relevant in this project, since the number of dependencies of cobra is rather low. However, I believe it's better to have an explicit value, rather than rely on GitHub's default. By the way, what I explained above might have changed in the last months, since GitHub first bought the service and then made it built-in.

[umarcor]

It seems the default number is five at the moment:

https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates#frequency-of-dependabot-pull-requests

To keep pull requests manageable and easy to review, Dependabot raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, remaining pull requests will be opened on the next update, up to that maximum. You can change the maximum number of open pull requests by setting the open-pull-requests-limit configuration option.

https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#open-pull-requests-limit

By default, Dependabot opens a maximum of five pull requests for version updates. Once there are five open pull requests, new requests are blocked until you merge or close some of the open requests, after which new pull requests can be opened on subsequent updates. Use open-pull-requests-limit to change this limit. This also provides a simple way to temporarily disable version updates for a package manager.

This option has no impact on security updates, which have a separate, internal limit of ten open pull requests.

[mmorel-35]

Thank you for the explanation. I can see why you took that decision.

[umarcor]

ping @jpmcb

[stmcginnis]

Looks good, and the explanation for limits makes sense.