tests: added dependabot for updating dependencies

[maykathm]

When merged to master, dependabot will check for updates in go dependencies and github actions weekly. When it finds an out-of-date package, it will automatically open a pull request. Here's an example of the pull requests opened on my fork of snapd when I pushed this yaml file to master: https://github.com/maykathm/snapd/pulls

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.15%. Comparing base (25236db) to head (2159e04).
Report is 202 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #14579      +/-   ##
==========================================
+ Coverage   78.86%   80.15%   +1.28%     
==========================================
  Files        1083     1160      +77     
  Lines      146105   162210   +16105     
==========================================
+ Hits       115233   130024   +14791     
- Misses      23675    24755    +1080     
- Partials     7197     7431     +234     

Flag	Coverage Δ
unittests	80.15% <ø> (+1.28%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[maykathm]

It looks like the dependabot will only send alerts for security updates. One option to keep the number of pull requests down is to group the changes.

Here's an example where I had the bot group together:

• major version bumps: build(deps): bump the breaking group with 3 updates maykathm/snapd#14
• minor+patch version bumps: build(deps): bump the non-breaking group with 8 updates maykathm/snapd#13

To ignore an update, one would have to either issue a command like @dependabot ignore <dep-name> major version or add that ignore command to the dependabot.yaml file. The bot doesn't automatically update the pull request though so ignores would need to be followed by an additional manual commit.

Obviously one can also change the frequency of updates. I currently have it set to weekly.

What do you think @ernestl and @sergiocazzolato?

[ernestl]

Thanks, looks good.

• Lets discuss with the team to get consensus on interval and grouping.
• Once fix cadence releases become a thing, we can consider doing this at a date right after such a release to ensure maximum time between updates and release attempts.

[ernestl]

Blocked, decided to first discuss with the team during engineering sprint.

[zyga]

Looks good, we should merge it as it will only open PRs and not automatically update anything. I'm not aware of any downsides.

[ernestl]

Thanks