Automate dependency upgrades with dependabot

[corneliusweig]

Dependabot could automatically create PRs if some of our dependencies change. It doesn't work great with all dependencies, but it could at least alert us about new versions.
Some kubernetes subprojects seem to already use dependabot (some discussion: kubernetes/org#945).

So WDYT? Should we try it out?

[ahmetb]

It definitely makes a lot more sense on an org like kubernetes-clients where language-specific repos are maintained. I'm not sure if it helps a lot for our case. Our dependency list is pretty minimal, so it might become more of a hassle/noise than helpful, since our dependencies probably update way more frequently than we ship (e.g. once or twice a year based on current trends).

[corneliusweig]

One of my goals is to make us aware of available updates. But you have a good point that it will create a disproportionate amount of noise, given our infrequent releases.

So what about that: we add an item to our release procedure that reminds us about bumping versions. That way we don't have the noise and still get reminded of that chore when it becomes relevant.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[corneliusweig]

I tried this out in another project and dependabot creates quite a lot of noise. For us it's probably not worth it.
/close

[k8s-ci-robot]

@corneliusweig: Closing this issue.

In response to this:

I tried this out in another project and dependabot creates quite a lot of noise. For us it's probably not worth it.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.