ci: configured auto-approve & auto-merge for dependabot

[fredbi]

• All groups are checked once a week and each produce at most 1 PR.
• All dependabot PRs are auto-approved

Caveats:

• this requires auto-merge to be enabled in the repository settings
  [done]
• this requires all desired tests to be required in the branch
  protection rule [done]

• package-ecosystem: "github-actions"

  1. development-dependencies are auto-merged

• package-ecosystem: "gomod"
  We define 4 groups of dependencies to regroup update pull requests:

  • development (e.g. test dependencies)
  • go-openapi updates
  • golang.org (e.g. golang.org/x/... packages)
  • other dependencies (direct or indirect)

  Auto-merging policy, when requirements are met:

  1. development-dependencies are auto-merged
  2. golang.org-dependencies are auto-merged
  3. go-openapi patch updates are auto-merged. Minor/major version updates require a manual merge.
  4. other dependencies require a manual merge

Signed-off-by: Frederic BIDON fredbi@yahoo.com

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (6f774b2) 70.50% compared to head (5f57e75) 70.50%.

Additional details and impacted files

@@           Coverage Diff           @@
##           master      #23   +/-   ##
=======================================
  Coverage   70.50%   70.50%           
=======================================
  Files           1        1           
  Lines         339      339           
=======================================
  Hits          239      239           
  Misses         75       75           
  Partials       25       25           

Flag	Coverage Δ
oldstable	70.50% <ø> (ø)
stable	70.50% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[fredbi]

This has been tested successfully on my fork.

[fredbi]

NOTE: I've inspected Renovate too and it does about the same thing. Renovate is not really easier to configure for golang (but hey there is a "go-openapi" standard preset !) and dependant comes natively integrated with github. dependabot seems good enough for the go-openapi packages.
I hope that the one-a-week update periodicity is good enough. Please let me know if in your opinion, this is enough noise-reduction to keep dependencies up to date, and I'll generalize to other go-openapi repos.