add dependabot config

[matthyx]

PR Type:

Enhancement

---

PR Description:

This PR introduces a configuration file for Dependabot, a tool that helps to keep dependencies up-to-date. The configuration file specifies that updates should be checked on a weekly basis. However, the package ecosystem and the directory of package manifests are not specified and need to be filled in.

---

PR Main Files Walkthrough:

files:

`.github/dependabot.yaml`: A new configuration file for Dependabot has been added. It is set to check for updates on a weekly basis. The package ecosystem and the directory of package manifests are left blank and need to be specified.

[codiumai-pr-agent[bot]]

PR Analysis

• 🎯 Main theme: Adding a configuration file for Dependabot

• 📝 PR summary: This PR introduces a configuration file for Dependabot, a tool that helps to keep dependencies up-to-date. The configuration file specifies that updates should be checked on a weekly basis. However, the package ecosystem and the directory of package manifests are not specified.

• 📌 Type of PR: Enhancement

• 🧪 Relevant tests added: No

• ⏱️ Estimated effort to review [1-5]: 1, because the PR is straightforward and only involves the addition of a configuration file.

• 🔒 Security concerns: No security concerns found

  PR Feedback

• 💡 General suggestions: It would be beneficial to specify the package ecosystem and the directory of package manifests in the configuration file. This would allow Dependabot to function correctly and keep the dependencies up-to-date.

• 🤖 Code feedback:

  • relevant file: .github/dependabot.yaml suggestion: Specify the package ecosystem and the directory of package manifests in the configuration file. For example, if the project is a Python project, the package ecosystem would be 'pip' and the directory could be '/'. [important] relevant line: - package-ecosystem: "" # See documentation for possible values

How to use

To invoke the PR-Agent, add a comment using one of the following commands: /review [-i]: Request a review of your Pull Request. For an incremental review, which only considers changes since the last review, include the '-i' option. /describe: Modify the PR title and description based on the contents of the PR. /improve [--extended]: Suggest improvements to the code in the PR. Extended mode employs several calls, and provides a more thorough feedback. /ask \<QUESTION>: Pose a question about the PR. /update_changelog: Update the changelog based on the PR's contents.

To edit any configuration parameter from configuration.toml, add --config_path=new_value For example: /review --pr_reviewer.extra_instructions="focus on the file: ..." To list the possible configuration parameters, use the /config command.

[vladklokun]

@matthyx @dwertent

Before we jump into having dependabot spam the PRs with bumping updates, I want us to consider the updating strategy for storage. What are we trying to achieve here?

My main concern is that the default workflow the Kubernetes SIG suggests for Aggregated APIServers forking from the sample repository is rebasing onto the parent repo every once in a while. Not bumping dependencies on your own. We never did this yet, because we don’t fully understand the implications like how much merge conflicts we would have to solve when rebasing onto the parent repository.

If we enable dependabot and commit to bumping images as it suggests, how does this affect our workflow? Does it make it more complicated to rebase onto the parent repo and keep the dependencies updated?

Let’s maybe define our dependencies strategy before enabling dependabot?

[github-actions[bot]]

Summary:

• License scan: success
• Credentials scan: success
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: success

[matthyx]

@vladklokun you're right