Create dependabot.yml

[ranocha]

Dependabot is like CompatHelper for GitHub actions. It creates PRs and bumps the versions of GitHub actions you are using. This reduces the maintenance burden, as you no longer have to develop PRs like #3902 manually.

[fingolfin]

We disabled CompatHelper because it was mostly useless for us and overall caused more work than it saved.

I am sceptical about Depandabot in this regard.

[lgoettgens]

(I think that most of the discussion here also applies to thofma/Hecke.jl#1735, Nemocas/Nemo.jl#2020, Nemocas/AbstractAlgebra.jl#1984, oscar-system/GAP.jl#1144, oscar-system/Singular.jl#851, and oscar-system/Polymake.jl#506. Let's keep it here in one place and then do appropriate actions in the other repos after we came to a conclusion here.)

From my experience with dependabot in https://github.com/JuliaTesting/Aqua.jl since last October, I must admit that I like it.

I think there are some fundamental differences between CompatHelper and dependabot or even more between Julia dependencies and github actions:

• When a julia dependency has a breaking release, we usually have to adjust something here (aka the CompatHelper PR does not help and gets closed). Most version bumps in github actions need no manual intervention (e.g. changes in the base image, or changes in some parameters that we don't use) or only need changes outside of the code (e.g. the codecov v3->v4 change where some token had to be set in the project settings).
• CompatHelper does only do a bump, one has to search for and look through the release notes of a dependency package manually. Compathelper prints the relevant part of the release notes directly into the PR.

I am happy to hear opinions from others.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.41%. Comparing base (3ca33ad) to head (9384fb5).
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4547      +/-   ##
==========================================
- Coverage   84.42%   84.41%   -0.01%     
==========================================
  Files         672      672              
  Lines       89193    89193              
==========================================
- Hits        75300    75294       -6     
- Misses      13893    13899       +6     

see 2 files with indirect coverage changes

[fingolfin]

OK, if you had positive experience with @lgoettgens I am willing to give it a try and see how it behaves, we can still yank it again.

But I'll also wait to hear what e.g. @benlorenz and @thofma think.

[thofma]

Most of the PRs in https://github.com/JuliaTesting/Aqua.jl/issues?q=is%3Apr+author%3Aapp%2Fdependabot were closed without merging. Seems to be quite labor-intensive for me for a tool that should make my life easier.

[lgoettgens]

50% the PRs in JuliaTesting/Aqua.jl/pulls (is:closed dependabot) were closed without merging. Seems to be quite labor intense for me.

This was a byproduct of me trying out and learning what the different config options do. I closed these so that they get re-generated with other config options.
But what @ranocha proposes here is exactly what I ended up with as well (apart from the schedule)

[thofma]

OK. Happy to give it a try.