github: Enable dependabot for stable branch

.github/dependabot.yml

@@ -14,6 +14,25 @@ updates:
     - kind/enhancement
     - release-note/misc
     - priority/release-blocker
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "vendor:"
+    # Setting open-pull-requests-limit to 0 means that dependabot will not
+    # update regular dependencies on this target branch, but still provide
+    # security updates for our gomod dependencies
+    open-pull-requests-limit: 0
+    target-branch: "v0.11"
+    rebase-strategy: disabled
+    ignore:
+      - dependency-name: "github.com/cilium/cilium"
+    labels:
+      - kind/enhancement
+      - release-note/misc
+      - priority/release-blocker
+
   - package-ecosystem: github-actions
     directory: /
     schedule:
@@ -26,6 +45,20 @@ updates:
     - kind/enhancement
     - release-note/misc
     - priority/release-blocker
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "ci:"
+    open-pull-requests-limit: 5
+    rebase-strategy: disabled
+    target-branch: "v0.11"
+    labels:
+      - kind/enhancement
+      - release-note/misc
+      - priority/release-blocker
+
   - package-ecosystem: docker
     directory: /
     schedule:
@@ -38,3 +71,20 @@ updates:
     - kind/enhancement
     - release-note/misc
     - priority/release-blocker
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "dockerfile:"
+    open-pull-requests-limit: 5
+    rebase-strategy: disabled
+    target-branch: "v0.11"
+    ignore:
+      # Only bump the patch version in stable branches
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    labels:
+      - kind/enhancement
+      - release-note/misc
+      - priority/release-blocker

RELEASE.md

@@ -131,6 +131,12 @@ After `v$MAJOR.$MINOR.$PATCH` is released, the next commit should restore the
 `v$MAJOR.$MINOR` branch to the `v$MAJOR.$MINOR.{$PATCH+1}-dev` to separate
 unreleased hubble versions in a branch from releases.
 
+## Update the `dependabot` configuration
+
+After a new stable `v$MAJOR.$MINOR` release branch has been created, update
+the `.github/dependabot.yml` field for `target-branch` to point to the newly
+created branch, instead of the old stable branch.
+
 ## Announce the release on Slack
 
 Post a release announcement message in the [Cilium Slack #hubble