Create dependabot.yml to automatically pick up new versions

[jtpio]

This will help repos generated from this template keep their dependency on jupyterlite up-to-date when new JupyterLite releases are out.

This should also update other dependencies listed in requirements.txt.

Fixes #44

[agriyakhetarpal]

Hi @jtpio, I wish to send out a gentle ping here – and a review of the changes if it helps! :)

You may also refer to https://github.com/data-apis/array-api-compat/blob/8a7999434452019c3110e06f6224fa71a023a549/.github/workflows/dependabot-auto-merge.yml so that the PRs are auto-merged if the required CI jobs pass (though more stringent required checks can be added in the settings, of course). This is in case PR spam is a concern.

Though any breakages would be mostly caught by the fact that we release multiple alpha releases first before a final release, if we don't want to auto-merge the PRs for, say, dependencies such as jupyterlite-core itself, we also have an option of sifting through the output via steps.dependabot-metadata.outputs.dependency-names.

See also: https://github.com/dependabot/fetch-metadata#enabling-auto-merge

In a nutshell, this PR would be pretty reasonable to revisit, as it would bring websites and other places on the internet that are using this deployment up to date faster (xref: #151).

[agriyakhetarpal]

Suggested change

	version: 2
	updates:
	- package-ecosystem: "pip"
	directory: "/"
	schedule:
	interval: "daily"
	version: 2
	updates:
	- package-ecosystem: "pip"
	directory: "/"
	schedule:
	interval: "daily"
	labels:
	- "maintenance"
	open-pull-requests-limit: 5

This will do as stated – I think reducing the number of open pull requests would help reduce spam. In any case, I would be happy to help review these PRs, if I were given triage rights to this repository or similar, by being added under a reviewers: section.

[agriyakhetarpal]

Now that I think of it, adding this Dependabot configuration would also add it for everyone who uses this template, which I can see many users might not like, due to previously mentioned PR spam.

A feature request for adding files to ignore when generating a repository from a template is still open at the moment, and apparently isn't on GitHub's roadmap. I do see there's a nice workaround GitHub Action that will run only once on template generation (wouldn't work on forks) and delete the files. However, I don't know if this is worth the effort adding, documenting, and having to maintain.

[jtpio]

Now that I think of it, adding this Dependabot configuration would also add it for everyone who uses this template, which I can see many users might not like, due to previously mentioned PR spam.

Yes that was the primary reason for keeping it as a draft for now.

[agriyakhetarpal]

Coming back to this, I think we can proceed with this change at the moment – it has come to my knowledge that Dependabot isn't enabled by default and doesn't get enabled when the dependabot.yml files is added to the repository; it has to be enabled in the settings manually before automated updates in PRs start to land.

So, as long as we document the fact that users can enable Dependabot in the repository settings for keeping GitHub Actions and pip dependencies up to date if they want to, and that it is disabled by default (but a customised configuration file exists for their usage), we should be fine to go ahead.