[DRAFT]: Add and configure Dependabot

[agriyakhetarpal]

Description

This pull request closes #78; it aims to add Dependabot to our repository for maintaining our workflows, and for downstream I have yet to test it out on my fork!

Here's a brief list of TODO items before we should be ready:

• Add documentation on how to use, configure, and maintain Dependabot
  • Add links to GitHub's documentation
  • Explain that Dependabot has to be enabled in the settings once they create a repository
  • Add a guide on what Dependabot does and how to handle incoming PRs for package updates
• Ensure that Dependabot can update GitHub Actions dependencies in our repository's workflows
• Explore whether Dependabot can update GitHub Actions dependencies in the template's files

[lwasser]

Hey there @agriyakhetarpal, I'm just checking in on this pr. It's been open for a while. Is there a. minimal version of the TODO's that we could consider to make it ready for review? Perhaps we just add dependabot as a first step?

[agriyakhetarpal]

Hi @lwasser, thanks for the ping! I'm sorry about the delay in my response here – I have a bunch of notifications I'm supposed to be working through :)

Dependabot is able to update GitHub Actions dependencies in files under .github/workflows/, of course. However, in a fork that I set up previously, I struggled to make it work with the latter point:

Explore whether Dependabot can update GitHub Actions dependencies in the template's files

Dependabot can't recognise these files, unfortunately – so I think we would need a manual way to sync dependencies between .github/workflows/ and the template files. We could write a script to do this and have a bot run it so that it updates the template's workflow files automatically, perhaps using some regex operations or sed commands. Still, it would not be smart enough to figure out merge conflicts. It could potentially overwrite intentional changes to workflows (say, if we add temporary comments around a GitHub Actions step or comment out a step if it's broken or not needed). This way is directly opposite to what we discussed in the issue linked to this PR, #78, where you mentioned:

The first one is surely not ideal, so we should explore if Dependabot will choose to be the star here or not 😉

So, I do think adding Dependabot as the first step would be sufficient, at least for the repository, and we can keep the issue open. We also have to note that even if the template's GitHub Actions dependencies are out of date, Dependabot will create a PR to update them as soon as it's enabled in a package's repository. The only trouble I can see from that is that if the actions used get terribly out of date, we would put the user in a situation where they need to update to newer versions of the actions themselves to get them in a workable state.

---

This PR is ready for review as is, right now – the only parts missing are the documentation updates for explaining to our users how to use Dependabot effectively to maintain the package(s) they generate from the template.