Add dependabot to manage dependencies updates of github-actions

[kunzef]

What is dependabot

• dependabot periodically checks for outdated dependencies and raises PRs to update if there are any
• maintained and supported by GitHub
• configured in a dependabot.yml file
• having the dependabot.yml file automatically activates dependabot
• further options can be found under Settings -> Code security and analysis -> Dependabot
• more information here

What does this PR do

• adds the dependabot.yml file to the .github folder
• the added dependabot.yml is already configured to check all github-actions once every week for dependencies updates

[cole-miller]

Thanks for opening a PR! However, this doesn't really make sense to me. We don't bundle any of our dependencies, just find already-installed versions using pkg-config. The consumer of dqlite is responsible for providing up-to-date versions of libsqlite3, libuv, etc.

The only thing I can think of that dependabot could do is to update the minimal version requirements that we pass to pkg-config in configure.ac, but I don't think this is the kind of thing a bot is suited for. We don't want to bump the minimal version for libuv every time a new version is released -- we want to do it in response to needing a particular feature that's only present in newer libuv, or because we don't want the trouble of maintaining compatibility with old versions. The bot doesn't know about any of that stuff, so it's just going to open a bunch of extraneous PRs (or do nothing).

Does that make sense?

[cole-miller]

Oh, I see, it's just looking for dependency updates for the other GitHub actions that are used by our CI. That seems fine, then.

[cole-miller]

@kunzef We'll need you to create a Launchpad account and sign the Canonical CLA as described here.

[kunzef]

Hi Cole, yes the dependabot was only intended to update the github workflows. In regards to the Canonical CLA I've already signed it and just joined the CanonicalContributorAgreement organization. If there is more to do on my side let me know.

[codecov[bot]]

Codecov Report

Merging #516 (b1aa534) into master (2e34d9d) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #516   +/-   ##
=======================================
  Coverage   61.02%   61.02%           
=======================================
  Files          34       34           
  Lines        6352     6352           
  Branches     1888     1888           
=======================================
  Hits         3876     3876           
  Misses       1293     1293           
  Partials     1183     1183           

[cole-miller]

Ah, the problem is that you created the commit using the GitHub UI, so the author email address is blahblahblah@users.noreply.github.com, which is not associated with your Launchpad account. You can clone your fork and correct that author info (git commit -s --amend --reset-author, after checking that git config user.email is the right thing), or I can submit the same patch myself.

[kunzef]

Thanks for the help, I think I got it. If this still does not work feel free to submit the patch yourself.

[MathieuBordere]

Thanks!