feat: auto merge dependabot PRs for patch updates

[Mossaka]

This PR adds a new action called "Dependabot automation" which will automatically merge dependabot PRs for patch updates. According to this doc,

If you enable auto-merge for a pull request, the pull request will merge automatically when all required reviews are met and all required status checks have passed.

which means the PRs won't be auto-merged if the tests gate fails or it doesn't have the required number of reviews.

Hence I've also added gh pr review --approve "$PR_URL to automatically approve the dependabot PRs.

Since this automates the process of merging dependabot PRs, I've set the schedule interval for depdnabot to "daily".

Close #150

Could you please take a look? @utam0k

[jprendes]

which means the PRs won't be auto-merged if the tests gate fails or it doesn't have the required number of reviews.

Does this mean that any failing CI test would prevent the auto merge?
IIUC, the main branch should be protected from failing CI tests. Is this currently the case?

[cpuguy83]

Is this currently the case

Just reviewed branch protection.
It is now.
PR's also require an approver.

Honestly I'm not particularly on board with auto-merging dependabot, especially knowing our CI is missing some important checks (like validating protos).

[Mossaka]

@cpuguy83 thanks for the suggestion. I am going to create an issue for adding more CI checks like validaitng protos.

It seems like this PR won't be merged in until we've done the above first. I will convert it to a draft and leave it there.

[Mossaka]

@cpuguy83 it looks like we already are validaitng protos in the CI according to this comment. Do you think you will be okay with merging this PR now?

[cpuguy83]

I still don't like auto-merging dependabot, but I wouldn't want to block it if others find it useful.

[Mossaka]

@cpuguy83 would you please state the reasons why you don't like auto-merging dependantabot? This will help me understand the tradeoffs better.

[jsturtevant]

I am not a big fan of auto-merging because it doesn't give awareness to maintainers. I like the manual step reviewing and understanding what changed even if it takes an extra step. Even if tests pass there might be a reason not to merge (either something like missing tests or some other external reason (one example could be a library gets compromised, and we need it pinned to a particular version).

In summary, I love having dependa-bot do the manually labor but like the human check before merging.

[Mossaka]

Closing this PR