Set up Dependabot

[vorburger]

While looking at #2185 I noticed something else technically unrelate which IMHO would also be good to set-up:

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates

I'll have a go at seeing if I can enable this (it should either be not very hard, or if there is something particular I'm missing that's specific to Gradle for Android that's a big enough PITA that it's not worth pursuing it further).

The expected result would be to start seeing https://github.com/MariaDB4j/MariaDB4j/pulls?q=is%3Apr++label%3Adependencies+ on this repo. (And on https://github.com/google/android-fhir/security/dependabot as well as on https://github.com/google/android-fhir/network/updates) We can tune the frequency and such things, if required (I've done it before).

@fredhersch @jingtang10 @omarismail94 @williamito FYI (please do shout here if there is any particular reason why this project would not want to benefit from automated dependency upgrades).

[vorburger]

PR #2196 alone might actually not suffice (but is probably still required); I suspect both that one to make a start but then also a solution for #2194 is required... let's just try and see!

[jingtang10]

have you seen this https://medium.com/@vladyslav.hontar/dependabot-in-action-d9b56b2be86c?

[vorburger]

Re-opening, this is NOK, see e.g. https://github.com/google/android-fhir/runs/17467825398:

Dependabot couldn't parse the config file at .github/dependabot.yaml. The error raised was:

(<unknown>): did not find expected key while parsing a block mapping at line 3 column 1

[vorburger]

Re-opening, this is NOK, see e.g. https://github.com/google/android-fhir/runs/17467825398:

This doesn't happen anymore (after #2234).

But https://github.com/google/android-fhir/settings/security_analysis still says Dependabot version updates. Allow Dependabot to open pull requests automatically to keep your dependencies up-to-date when new versions are available. as if this wasn't configured yet.

have you seen this https://medium.com/@vladyslav.hontar/dependabot-in-action-d9b56b2be86c?

This looks like what we may have to do... I'll try this out some time.

[vorburger]

Duh, e.g. https://github.com/google/android-fhir/runs/17521930462 (et al) now fails with:

Your .github/dependabot.yaml contained invalid details
Dependabot encountered the following error when parsing your .github/dependabot.yaml: The property '#/' contains additional properties ["open-pull-requests-limit"] outside of the schema when none are allowed.

At this point, I'm just going to remove that open-pull-requests-limit thing, for now; see #2242.