22: Add configuration options for introducing dependabot

[adigidh]

fixes #22

Enabling dependabot for the repository. The configuration aims at addressing Docker images, npm packages, and go modules.

Summary of changes:

• Used Grouping: Dependabot will group certain dependencies with the keyword “group”.
• For github-actions, I just used a single group, and used a wildcard pattern to achieve like an "everything group".
• Limiting the security updates to the dependencies and ignore dev dependencies. Highlighted in dependency-type: "production"

[adigidh]

Might need one of the maintainers to help me with enabling this on the repo settings:
https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide#enabling-dependabot-for-your-repository

Other questions:

• Do you want dependably PRs be opened at certain timeframe? Weekly/ monthly or at a certain time?
• Would you be open to assigning specific reviewers for dependably pull requests?
• Is it okay to create custom labels for the issues dependabot opens?

[vishnoianil]

Might need one of the maintainers to help me with enabling this on the repo settings: https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide#enabling-dependabot-for-your-repository

@adigidh This is done.

Other questions:

• Do you want dependably PRs be opened at certain timeframe? Weekly/ monthly or at a certain time?

I think weekly would be a better option.

• Would you be open to assigning specific reviewers for dependably pull requests?

We have instructlab/ui-maintainers group that has all the maintainers in it. I think it's good to add that group as a reviewer. If that doesn't workout, please add me and @nerdalert as a reviewer.

• Is it okay to create custom labels for the issues dependabot opens?
  Absolutely!

Thanks for the PR @adigidh , Great work! Appreciate it.

[vishnoianil]

@adigidh Can you please signoff your commit, so that it can pass the DCO job. Thanks!

[vishnoianil]

Overall PR looks good. Minor comments and requires DCO fixing.

[vishnoianil]

I think we can probably remove this limit ?

[adigidh]

removing the limit as suggested. We can add it back in later incase we feel like dependabot is introducing a lot of noise with PRs per week 👍

[vishnoianil]

I think we should point it to /deploy directory?

[adigidh]

the dockerfile is in the server directory, and we'll have to specify the root directory where dependabot should look for dockerfiles. The /deploy directory didn't have any dockerfiles.

[vishnoianil]

that makes sense. We don't use the docker file in /server currently. Mainly we use the one present in the root directory -Containerfile and Containerfile.ps, so i think we should point it to /?

[adigidh]

Good to know. Appreciate the details, I just made the update.

[vishnoianil]

Please add a newline here.

[adigidh]

Thanks for taking a look @vishnoianil.

Summary of changes:

• Added reviewers to the configuration: "instructlab/ui-maintainers" group
• Removed pull requests limit.
• Requisite updates for DCO fixes.

[vishnoianil]

Thanks for taking a look @vishnoianil.

Summary of changes:

• Added reviewers to the configuration: "instructlab/ui-maintainers" group
• Removed pull requests limit.
• Requisite updates for DCO fixes.

awesome, one minor comment and it's good to go.

[vishnoianil]

LGTM

[vishnoianil]

@adigidh Thank you for your contribution!