Add Dependabot

[ottnorml]

Thank you for your contribution to OpenRA!

Please be aware that we do not have enough project maintainers to match the rate of contributions, so it may take several days before somebody is able to respond to your Pull Request.


If you need any help you can ask on Discord (https://discord.openra.net) or in the #openra IRC channel on Libera (not as active as Discord).

[Mailaender]

Thanks, but internal discussion came to the conclusion that we can't just automatically update dependencies.

[ottnorml]

First of all, thanks to @abcdefg30 for the hacktoberfest-accepted label and to @Mailaender for the reply, even though it's sad news for my PR.
I read your discussion on Discord and understand the concerns about the potential problems with updating dependencies this way. However, I think this PR adds value to the project, which is why I made changes to it. But before I go into the benefits, I would like to give an overview of the dependencies monitored by Dependabot and which of them can be updated. In total there are 30 dependencies, of which 7 can be updated at the moment, split into 4 MAJOR and 3 MINOR version updates:

• Github actions:

  Name	Version	Still under active development?	Update available now?	New version
  actions/checkout	v3	✅	✅	v4
  actions/setup-dotnet	v3	✅	❌
  josephbmanley/butler-publish-itchio-action	master	❓	❌
  marocchino/sticky-pull-request-comment	v2	✅	❌
  marocchino/validate-dependabot	v2	✅	❌
  svenstaro/upload-release-action	v2	✅	❌

• NuGet packages:

  Name	Version	Still under active development?	Update available now?	New version
  DiscordRichPresence	1.1.3.18	✅	✅	1.2.1.24
  Linguini.Bundle	0.5.0	✅	✅	0.6.0
  Microsoft.Extensions.DependencyModel	6.0.0	✅	✅	7.0.0
  Microsoft.NET.Test.Sdk	17.6.2	✅	✅	17.7.2
  Microsoft.Win32.Registry	5.0.0	✅	❌
  Mono.NAT	3.0.4	❌	❌
  MP3Sharp	1.0.5	❌	❌
  NUnit	3.13.3	✅	❌
  NUnit.Console	3.16.3	✅	❌
  NUnit3TestAdapter	4.5.0	✅	❌
  NVorbis	0.10.5	❓	❌
  OpenRA-Eluant	1.0.22	✅	❌
  OpenRA-Freetype6	1.0.11	✅	❌
  OpenRA-FuzzyLogicLibrary	1.0.1	❌	❌
  OpenRA-OpenAL-CS	1.0.22	✅	❌
  OpenRA-SDL2-CS	1.0.40	✅	❌
  Pfim	0.11.2	✅	❌
  rix0rrr.BeaconLib	1.0.2	❌	❌
  SharpZipLib	1.4.2	✅	❌
  StyleCop.Analyzers	1.2.0-beta.435	✅	❌
  System.Collections.Immutable	6.0.0	✅	✅	7.0.0
  System.Runtime.Loader	4.3.0	❌	❌
  System.Threading.Channels	6.0.0	✅	✅	7.0.0
  TagLibSharp	2.3.0	❓	❌

Now that I have shown the extent of the dependencies, the small number of current updates, and the low probability of timely release of further updates, it is easier to estimate the effort to be expected in the future and move on to the next topic.
That would be the more common issue of updates not running smoothly that you mentioned in your discussion.

1. Dependabot distinguishes between major, minor and patch updates resulting from the Semantic Versioning Specification.
   According to this, all stable non-major updates MUST be backward compatible, so such updates can usually be applied without hesitation. However, if this is not the case, it should be easy to notice from failed tests as the code is tested for each PR to be merged with the bleed or a prep-* branch.

2. Major updates may contain incompatible API changes. This can lead to problems that are not easy to fix and may require time-consuming adjustments. It often helps to see the results of the code tests. This way, the introduced changes and the resulting errors can be quickly visualized and better assessed. Thanks to Dependabot's open PR, testing is done by the CI, which is convenient and saves time and effort.

3. And as last point, I would like to mention that Dependabot regularly checks for updates and collects them into PRs depending on the type of update. It then waits for a maintainer to give it further instructions about the particular PR. For this reason, it also does NOT merge PRs on its own, but only when prompted to do so. Its command set also includes a rudimentary update management to suspend updates.
   Finally, each new PR is also a small reminder to take care of dependencies, which also helps the project along.

I hope that I could convince you with my arguments to give Dependabot a chance and just give it a try. So what can go wrong?

Many greetings

P.S.:
In order for my changes to appear, you need to reopen this PR. Otherwise, I can of course create a new PR.

[ottnorml]

P.P.S:
You can see what such PRs look like in my fork (for major updates see ottnorml#68, for minor updates see ottnorml#69).

[Mailaender]

I submitted pull requests for the version bumps that make sense:
#21099
#21100
which is 2/6 of the automated ones.

Usually, they also require API changes and extensive testing. Nothing that a bot could do.

[abcdefg30]

Still, there is value in getting notified of a new version. What happens when we find out that we cannot use a new version, would dependabot regularly open PRs for it? Is it possible to open an issue instead? (And just one then.)

[PunkPun]

A PR is better. The spamming issue is a separate out