Configure Dependabot using a YAML config file

[zackkrida]

Description

For this repository, Dependabot is enabled but not configured. Adding a .github/dependabot.yml file should fix that. Using the file we can configure things like the update schedule and the labels to attach to the PRs made by Dependabot.

Expectation

Dependabot should make regular, well-labeled PRs to the repository.

Additional context

You can use the config from the API repo as a reference. Also see the GitHub docs describing this config file.

Resolution

• 🙋 I would be interested in resolving this bug.

[AetherUnbound]

Part of the reason we don't have dependabot set up on this repo is that Airflow is very particular about its dependencies. So much so that the installation instructions from PyPI specifically describe using the provided constraints file for a given version. This constraints file dictates all of the dependencies that Airflow interacts with; it does not pin dependencies for everything available in PyPI. I think we can look into using dependabot here, but we might need to restrict it to only the dev dependencies (or even just a subset of our dependencies) as it's likely that the versions dependabot suggests will conflict with the provided constraints file.

[obulat]

Unassigning myself from this issue because I'm not sure how to proceed. We are using Renovate for the other repositories now. Should we close this issue altogether?

[AetherUnbound]

We could certainly use Renovate for the dev dependencies, if that's something it's capable of doing!