feat: Add dependabot for github actions

[Rotzbua]

Problem

The GH actions workflows seem outdated.

Solution

Dependabot can provide PRs.

Recommendation

Because dependabot can be really annoying I recommend:

• just monthly check
• grouped PR
• only GH actions dependencies

[Gallaecio]

I’m not sure we need dependabot. It feels like it only makes sense for projects (i.e. with requirements.txt), not libraries meant to work with multiple versions of libraries (even vulnerable ones).

[FriedrichFroebel]

This depends on how you want to use it. This issue primarily seems to be about automated updates for GitHub Actions, which is completely independent from Python package updates (although both use the dependabot approach).

Regarding Python packages: There are multiple approaches to this and no clearly defined way. For example: Use a dedicated requirements file which pins all versions to the latest versions known to work with the latest Python version supported. Once dependabot detects a package update for one of the pinned dependencies, let it open a PR and let GitHub Actions/CI automatically ensure that the latest package versions do not break the library code.

[Gallaecio]

This issue primarily seems to be about automated updates for GitHub Actions.

Interesting.

Once dependabot detects a package update for one of the pinned dependencies, let it open a PR and let GitHub Actions/CI automatically ensure that the latest package versions do not break the library code.

Very interesting. On very active projects it might not be that useful, but in projects that are actively maintained but get no new features often like this one, this sounds quite useful.

Although I wonder if it would not be too noisy, creating a PR every time a dependency releases a new version.