chore(deps): add dependabot.yml

[ylz-at]

Signed-off-by: Jinesi Yelizati [email protected]

What this PR does / why we need it:

With this PR, Dependabot can automatically/daily scan the dependencies described in go.mod and create a pull request if there is a newer version of the upstream package available.

The maintainers of this repository don't need to check the versions of the upstream packages manually. They can simply merge the PR if the tests in CI passed.

How Dependabot works:

• Dependabot checks for updates
• Dependabot opens pull requests
• You review and merge

You can check my forked repository https://github.com/ylz-at/oras/pulls to see what kind of PRs does Dependabot create.
And in ylz-at/oras there are already 5 PRs automatically created by Dependabot.

Special notes for your reviewer:
Dependabot is already integrated with github.
The features in settings -> Security & Analysis -> Configure security and analysis features should be enabled.

If applicable:

• this PR contains documentation
• this PR contains unit tests
• this PR has been tested for backwards compatibility

[jdolitsky]

Thank you!

[jdolitsky]

Looks like dependabot is enabled in settings