Enable dependency update tool

[joycebrum]

Hi @dustin, still regarding #114, it is possible to enable a dependency update tool. The most famous ones are Dependabot and Renovatebot.

Both have pros and cons and I can help you in the comparison at "Additional Context" if you want to know more about them. Here in the PR I brought a configuration file for dependabot (since it is official GitHub tool, it is easier to configure). I try to keep it with big week limitations to not bother you on maintaining the project. Here is a dependabot PR example joycebrum#1.

PS: the idea is to use both tools to update github workflow dependencies, but if you with it can be used to update other dependencies in the project (see possible package ecosystems for dependabot for example).

Let me know if you rather use renovatebot, I can configure it for you.

Additional Context

Dependabot

Pros

• GitHub Official Tool
• Does not break yml-lint “2 spaces before # comment inline” rule when updating
• Easy to configure

Cons

• It produces one PR for each version upgrade (more noise)

Renovatebot

Pros

• It can be configured to hash pin automatically new dependencies.
• It can group dependency upgrades in one single PR (example Dependency Dashboard diogoteles08/testing-dependabot#13)

Cons

• Third Party
• More complex configuration
• Breaks yml-lint “2 spaces before # comment inline” rule when updating (Default value for min-spaces-from-content clashes with prettier adrienverge/yamllint#443)

[diogoteles08]

Hi! I'm Diogo and I work along with Joyce in Google’s Open Source Security Team.

I'm following up on this PR because it's been idle for a while, but I also bring some updates on the information Joyce has thoughtfully brought.

At the time she wrote this issue Dependabot had no way to control the PRs to update the versions, but now it released a way to group the changes into a smaller number of PRs. It's still a new feature and requires a configuration, but already makes it easier (and less painful) to use dependabot if you wish.

Cheers,