Set up Dependabot for dependency updates

[rammrain]

Summary

Configure GitHub Dependabot to automatically open PRs for outdated dependencies, keeping the project secure and up to date.

Tasks

• Add .github/dependabot.yml configuration file
• Configure ecosystems:
  • gradle — Java/Kotlin dependencies in build.gradle
  • github-actions — workflow action versions in .github/workflows/
• Set update schedule (e.g., weekly)
• Configure grouping for minor/patch updates to reduce PR noise
• Set PR limits and labels (e.g., dependencies label)
• Add reviewers/assignees as appropriate
• Verify Dependabot opens PRs on the next scheduled run

Example Configuration

version: 2
updates:
  - package-ecosystem: "gradle"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "dependencies"
    groups:
      minor-and-patch:
        update-types:
          - "minor"
          - "patch"

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "dependencies"
      - "ci"

Acceptance Criteria

• Dependabot is active and opens PRs for outdated Gradle dependencies and GitHub Actions versions
• PRs are labelled and grouped to minimize noise
• Configuration is committed to .github/dependabot.yml