Merge pull request #605 from LeonLuttenberger/wip/dependabot-config

chore: Configure dependabot

.github/dependabot.yaml

@@ -0,0 +1,20 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      production-dependencies:
+        dependency-type: "production"
+      development-dependencies:
+        dependency-type: "development"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/dependabot-prs.yml

@@ -0,0 +1,26 @@
+name: Dependabot Pull Request Metadata
+on: pull_request_target
+
+jobs:
+  build:
+    permissions:
+      pull-requests: read
+
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+
+    steps:
+      - name: Fetch Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          alert-lookup: true
+          compat-lookup: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Add a label for all PRs with an alert state
+        if: ${{ steps.dependabot-metadata.outputs.alert-state != '' }}
+        run: gh pr edit "$PR_URL" --add-label "vulnerability"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}