Add dependabot to keep workflow Actions updated

[pnacht]

Description

Dependabot has recently released grouped updates, meaning an entire ecosystem can be updated with a single PR. I'd therefore like to suggest that Moby adopt Dependabot to keep its workflow Actions up-to-date.

I believe this mitigates the concerns raised in #44177 (comment) regarding the large volumes of PRs Dependabot ordinarily generates.

I'll send a PR along with this issue implementing this change.

[thaJeztah]

Does it still open pull requests against all 18.8K forks? 😬 (I know that was one of the other concerns)

[pnacht]

Ah, no, it doesn't. Dependabot is disabled by default on all forks. I even had to go to the settings and enable it on my fork even though I'd just added the dependabot.yml file myself.

[thaJeztah]

I even had to go to the settings and enable it on my fork even though I'd just added the dependabot.yml file myself.

I think that's only until it's merged in upstream; once it is, it's enabled.

i.e.; I'm getting pull requests all the time from dependabot on my own forks 😞
https://github.com/thaJeztah/compose/pulls?q=is%3Apr+author%3Aapp%2Fdependabot

And worse; it's creating branches on my fork (without the ability to deny it access to my fork, which in its own can be a security concern if dependabot would ever get compromised (which of course we hope would never happen)).

And a quick check on other forks, I see those get them as well;

• https://github.com/ndeloof/compose/pulls?q=is%3Apr+author%3Aapp%2Fdependabot
• https://github.com/glours/compose/pulls?q=is%3Apr+author%3Aapp%2Fdependabot

I think they slightly improved it and don't open PRs if the fork hasn't been updated for some time, but theoretically it could mean dependabot opening pull requests (and creating branches, without consent) on 18k+ forks 😢

[pnacht]

Sorry for the delay in replying here!

So, as of November 2022, dependabot is no longer automatically enabled for new forks. And per the documentation, this also applies to older forks that pull a new dependabot.yml:

Version updates are not automatically enabled on forks when a dependabot.yml configuration file is present. This ensures that fork owners don't unintentionally enable version updates when they pull changes including a dependabot.yml configuration file from the original repository.

---

i.e.; I'm getting pull requests all the time from dependabot on my own forks 😞

You should now also be able to disable this in your fork's settings page: https://github.com/thaJeztah/compose/settings/security_analysis (there should be a "Disable" next to "Dependabot version updates").

[pnacht]

As an example, I just forked docker/compose myself and this is what I see in my fork's Security Analysis page:

Note that it detects the dependabot.yml file, but lists it as "disabled". In fact, all the dependabot features are disabled on my fork; I have to manually "Enable" them.

If my previous suggestion to try disabling it in your fork's settings doesn't work (I can't test how things were before the November 2022 change...), you could always delete and recreate your fork... though the feasibility of that option depends on how much custom code is there.