[FEATURE] Add auto dependency upgrades for SDK

[saratvemulapalli]

Is your feature request related to a problem?

Add github dependabot support which raises PRs when security issues are found within code.

What solution would you like?

Write up dependabot.yml and configure it for the repo[1].

[1] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates

[dbwiddis]

I recently replaced Dependabot on my repo with Renovate. I consider it much better of a product. Some advantages:

• If you want it to act just like Dependabot you can, but you can even customize time of day of the PRs, or just let them come whenever detected. It's always faster than Dependabot which I think only runs once daily, which is important for security-based issues.
• Bump PRs have a header with badges displaying the quality of the dependencies. See an example here. What the age of the version is, what percentage of Renovate users have upgraded, what percentage of them have passing tests. This is invaluable for evaluating major version bumps and adoption/quality.
• You can group/batch version bumps together. I have done this to batch my build plugins (to get a single PR instead of 3 for ones that release together, for example) to reduce the PR noise. Here's an example batch PR
• It creates a "Dashboard" issue that shows you any pending bumps or ones you've intentionally suppressed. See example here.
• It has the ability to auto-merge its own PRs, which I've enabled for minor and patch versions of build plugins. We probably don't want that feature here, but it's available :)
• Sample config file: simple (and I even have a more "advanced" config).

Unless there's a reason we are tied to the same system as OpenSearch, I'd consider it. Heck, I might submit an issue to OpenSearch to recommend it :)

[dbwiddis]

Some bloggers like Renovate:

• Software Dependency Management: From Dependabot to Renovate
• Automate Dependency Updates With Renovate, Not With Dependabot

Other reasons Renovate is awesome (and no I'm not a paid shill):

• The company behind it (Mend) is a rebrand from WhiteSource which we already use/trust in our CI
• Dependabot works great for Github. Because it's developed by GitHub. As an independent product, Renovate supports many more platforms than GitHub, which may or may not be relevant in our future if we have more Docker integration, etc.

[saratvemulapalli]

Thanks @dbwiddis. I didnt know Mend Renovate is really better. I really like that.
I am happy as long as dependencies are being upgraded : )

[dbwiddis]

This needs to be initially setup by an owner of opensearch-project. How do we request that?