From 8249d4955890126fadd0a9f9dd65efde96f75bdc Mon Sep 17 00:00:00 2001
From: Hans Keeler <hkeeler@users.noreply.github.com>
Date: Wed, 15 May 2024 08:42:21 -0700
Subject: [PATCH] feat(cicd): add `dependabot.yml` for version update config
 (#472)

This PR adds the
[`dependabot.yml`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)
config file, which defines which package types dependabot should look
for update for, and on what schedule.

We noticed that when we added CodeQL and dependabot at the same time
that it threw some errors. Seems like we need to merge CodeQL first
(#468), _then_ this PR.

**Note:** This is our first time setting up dependabot with
`package-ecosystem: "npm"`. We assume it will work very similar to our
Python projects, but we won't know until with give it a try.

**Note:** The `npm` package type also supports `yarn`. See
[`package-ecosystem`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem)
docs.

Co-authored-by: Bill Himmelsbach <whimmels@gmail.com>
---
 .github/dependabot.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..66ed31114
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"