Autobuild: Add Github Action for dependency update PRs

[hoffie]

Describe the task

We have several external dependencies which are version-locked for reproducibility and security. We should regularly check those for updates. A Github Action scheduled job (cron-style) could do that. It could automatically submit a PR with the suggested update.

• [ ] Github Actions (uses:) #2778
• [ ] Pinned dependencies in the build process (aqt, Qt, JACK, jom, NSIS) #2777
• [ ] Android SDK/NDK/Commandlinetools)
• [ ] Check #2345 wrt completeness
• [ ] Submodules (liboboe)
• [ ] Add automated update to pylint (inclusion here closes https://github.com/jamulussoftware/jamulus/issues/3056)

Solutions to look into:

• dependabot
• https://github.com/apps/renovate

[ann0see]

Dependabot?

[hoffie]

Dependabot?

Yeah, might be worth a look wrt Github Actions usage. I would not expect it to catch the depds from our build scripts though, unless I'm missing something?

[ann0see]

Maybe we can set it up to do that

[hoffie]

From https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates#supported-repositories

Supported repositories Repository contains dependency manifest file from a package ecosystem that GitHub supports: "Supported package ecosystems"

So it looks like:

• [x] Github Actions could work.
• [x] pip (for aqt) could work (although we would have to create and use a pipfile.lock

That'd mean that the following would require manual work (at least):

• [ ] choco
• [ ] Qt

[ann0see]

The workflow does not handle most of the Android pinnings (haven't looked into it so far).

I think we should list them in this issue.

I just found out that create-dmg is also missing. So macOS and Android probably need some further investigation.

[ann0see]

Not sure what is still outstanding here. Tagging for looking at it in the next release.