Enable Dependabot on maintained release branches

[antoninbas]

We currently use Dependabot on the main branch. It runs periodically and submits PRs to update Go module dependencies. This means that dependencies are pretty much always up-to-date, and avoids security vulnerabilities.
However, we do not currently use Dependabot on release branches. This means that recent release branches which are still maintained (currently release-2.2 is the most recent release branch, as v2.2 is the latest Antrea minor release) can use older dependency versions, which may be affected by security vulnerabilities, even though a more recent version of the dependency which patches the vulnerability may exist. We do not systematically backport dependency updates to release branches as that would be quite the burden - even if we could easily identify which ones patch security vulnerabilities.

We should look into whether Dependabot can be enabled on maintained release branches (at the moment, that would be at least release-2.1 and release-2.2). Dependabot has a target-branch option, which may be what we need here. Note that for release branches, we only need security updates (applies-to: security-updates), we do not want to systematically update dependencies when a new version is available, as that would generate too many PRs. One drawback of this approach would be that dependabot.yml would need to be updated every time a new minor version is released, in order to include the new release branch and remove the oldest one (which is no longer maintained).

[antoninbas]

It seems that this is not possible to do at the moment, as target-branch is not applicable to security updates. Security updates and version updates are really 2 separate processes, and dependabot.yml seems mostly applicable to the second one.

See also this discussion: https://github.com/orgs/community/discussions/15027
It seems that there is no ongoing effort to address this in Dependabot. We will have to keep patching release branches manually before releasing patch versions, unless we want to switch to another tool - renovate - which is used by several other OSS projects and may support this feature (more investigation needed).