chore: send one PR a week with _all_ golang dependabot updates

[plumpy]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @plumpy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request streamlines the dependency update process by reconfiguring Dependabot to consolidate multiple daily pull requests into single weekly ones for both Go modules and GitHub Actions. The change aims to reduce PR noise and enhance efficiency in dependency management by presenting all updates in a single, manageable batch, while also expanding the list of excluded paths for Go module updates.

Highlights

• Consolidated Go Module Updates: Dependabot will now group all Go module updates into a single weekly pull request, moving from daily individual PRs to a more consolidated approach. This is achieved by changing the schedule to 'weekly' and configuring a 'golang' group that includes all patterns.
• Expanded Exclusions for Go Modules: Several new paths, including 'codelab', 'hack', 'integration', and 'pkg/skaffold/build/ko/testdata', have been added to the gomod Dependabot configuration to exclude them from dependency updates.
• Grouped GitHub Actions Updates: Similar to Go modules, all GitHub Actions dependency updates will now be grouped into a single weekly pull request by configuring a 'github-actions' group.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the Dependabot configuration to group Go module and GitHub Actions updates into weekly pull requests, which will help reduce notification noise. The change to the gomod configuration also expands the list of excluded paths. While the grouping is a good improvement, the new exclude-paths use broad directory exclusions (hack, integration) which could unintentionally prevent important dependencies from being updated. I've added a comment with a recommendation to use more specific paths to mitigate this risk.

[gemini-code-assist]

Using broad directory exclusions like hack and integration can be risky as it might unintentionally prevent Dependabot from updating Go modules that should be kept up-to-date. For instance, this change broadens the exclusion from integration/examples to the entire integration directory, and adds a new exclusion for hack. This will cause Dependabot to ignore all go.mod files within these directories, such as hack/tools/go.mod and potentially important integration test helpers. This could lead to stale dependencies. It is recommended to use more specific paths for exclusion to avoid this, for example hack/tools or integration/examples.