Set up an auto merge dependabot action

[Tyriar]

It seems like dependabot pulled the auto merge feature they were working on at some point due to security concerns dependabot/dependabot-core#1823 (comment)

Considering currently we just merge them without really looking and we only have a relatively small amount of dev dependencies, I'd say let's try out https://github.com/marketplace/actions/dependabot-auto-merge to merge in the non-major version PRs that pass checks automatically.

[mofux]

Hmmm I don't know. There is this strange feeling somewhere in the back of my head that tries to tell me that automatically merging code into our codebase is wrong (we would grant merge permissions to the dependabot, which is a high level of trust to give away to a bot). On the other hand I can feel the pain that is mostly on you, dealing with the dependabot PRs.

Couldn't we just manually merge the dependabot PRs as part of our release workflow? I know this will keep the PRs open for a while - which in turn makes the PR board look messy 😔

... your call 😅

[Tyriar]

Dependabot is pretty trusted but I see your concern.

I just changed the Dependabot settings to only care about security updates which is another way to fix this problem, let's see how this goes and reevaluate later.

[jerch]

I had the chance to feel the pain of merging those PRs once (once, only once haha) - it took me like 4h to get through like 12 PRs increasing a version number here and there. Half way I started to wonder how to speed this up, and ended up thinking that doing the changes in one single PR manually and closing the bot PRs would have cost me only 30m (prolly abit more, since a few PRs introduced conflicts, and some changes were hard to lookup on the original repos). So yes I experienced that pain myself.

Still I second @mofux stance here - giving a bot the right to add stuff to the repo without a human supervising the process feels wrong to me. Imho doing the version upgrades once before release in one bigger PR is the safer bet. We would still catch security updates of the build deps with the new release. Which is still in time for our release strategy, as we dont backport security patches of build deps.

[Tyriar]

I didn't press save right after my last comment but ended up updating the settings to only do security updates a few days later. Since then we haven't had any PRs so it's working alright for now, we can always update to new major versions as needed.