Support our own stale-dependency checks

[stevejalim]

Description

Because we're using pip-compile-multi we – like others within the org and beyond – are finding that repos using multiple dependency files aren't being processed as we'd expect by Dependabot. eg dependabot/dependabot-core#536

To mitigate this, we can at least run our own workflow as a Github Action that runs pip list -o to at least warn us of stale deps. Ideally, it would also make PRs for them.

It could even be implemented separate from mozilla/bedrock so that other repos (Basket, Nucleus + other parts of Mozilla) can also use it.

Note: https://github.com/peterdemin/pip-compile-multi/blob/master/.github/workflows/pipcompilemulti.yml is a similar idea, from the author of pip-compile-multi to get around the problem. We would not be able to rely on using a third-party GH Action (unless it's on our approved list), but we can likely fork one or write our own.

(Equally, if there's an action that already does all of what we're talking about, we should consider forking and adopting it)

---

Success Criteria

• Github Action exists that runs pip list -o and notifies the team about all outdated dependencies (that aren't in an ignorelist)
• An ignorelist of dependency versions is allowed, suporting both major, minor and patch versions. This should be easy/lightweight to add to, but does not need to mimic Dependabot's comment-driven control
• The custom action lives in its own repository, so it can be installed by other repos.

Stretch goals

• PRs with updated dependencies should be created

[stevejalim]

@robhudson @pmac Thoughts welcome on the above - feel free to edit as you see fit!

[stevejalim]

We may not need this at all if #11266 sorts it out

[alexgibson]

@stevejalim is this one still needed now that #11266 merged?

[stevejalim]

Yeah we're ok i think