add dependabot config

[davidspek]

Inspired by kubeflow/pipelines#4682 I created a script that will create a config file for depandabot so that it knows what directories to scan. It will scan the repository for files named *ockerfile*, package*.json, *requirements.txt and go.*. It is setup for dockerfiles, npm packages, pip dependencies and gomod at the moment. It is trivial to further customize what folders are selected if further customization is needed. It also parses the closest OWNERS file for a given dependency listing file, and assigns the relevant approvers and adds the relevant reviewers to the PRs it creates.

This is a sibling PR to kubeflow/pipelines#5015, kubeflow/kubeflow#5542, kserve/kserve#1309, kubeflow/arena#403, kubeflow/testing#855, kubeflow/fairing#550, kubeflow/kfp-tekton#432 and kubeflow/katib#1420.

As it stands now, there are about 37 PRs that will be created with this configuration.

For reference, the PRs that will be created can be found here: https://github.com/DavidSpek/tf-operator/pulls

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: DavidSpek
To complete the pull request process, please assign johnugeorge after the PR has been reviewed.
You can assign the PR to them by writing /assign @johnugeorge in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[davidspek]

/assign @jinchihe

[coveralls]

Coverage remained the same at 71.59% when pulling 7639d89 on DavidSpek:master into 5f002e4 on kubeflow:master.

[Jeffwan]

I feel like pulling assignees from owner file can be skipped. This repo is not that deep like other large projects. Can we just create a simple .github/dependabot.yml?

Another problem is Golang dependency has some correlation. Dependabot is smart but it still can not update all k8s dependencies to v1.18 etc. Seems it updates one by one. Due to k8s dependency management, we need to do some replacement. This doesn't help as well.

I am wondering if those auto-generated PRs are helpful.

[davidspek]

I can remove the part that looks for the closest owners of that is wanted. But personally I don’t see the harm of leaving it in.

Indeed the way it updates is one by one. This is why people still need to look over the PRs and maybe group the ones that belong to each other together. What it hopefully does do is give people the incentive to keep things up to date. For example, this repo does contain a security vulnerability, although it is a low severity one.

[davidspek]

I am holding the PR to have some control over when it gets merged so that the optional test infra doesn't get overloaded if all the repo's were to merge this at the same time.
/hold

[terrytangyuan]

Should we close this?

[davidspek]

@terrytangyuan I think it is up to the repo owners. If you do not require the advanced features of Renovate, dependabot is also a fine solution. If you would like to have Renovate enabled for this repo, I believe you will need to ask @Bobgy to do so. Either way, I suggest one of the two gets implemented.

[terrytangyuan]

Looking at the PRs created by the bot, I am uncertain they would be helpful and it's better to upgrade dependencies when necessary. I am closing this for now. Feel free to reopen when needed.