Enable dependabot

[ntkme]

This PR enables automatic dependency update check and CI runs.

[ntkme]

@nex3 Can we get this in and have dependabot update cli_pkg before next release? Currently this is still locked at a bad version unfortunately.

[nex3]

The automated release process now runs dart pub upgrade as part of the release, so it should automatically get the latest non-breaking version of dependencies on release.

Is there a way to configure dependabot to only update packages that have major version changes? Generally (especially for Dart packages which have real version resolution) I like to keep version ranges as wide as possible while still indicating which features we rely on.

[ntkme]

You can check this sample PR and there is a foldable menu showing all commands you can use for dependabot: e.g.”@dependabot ignore this major version” will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

[ntkme]

Or you can just leave its PR open and dependabot will update the same PR when next version come out. Honestly there is many ways to use it, but the benefit is clear, that the CI test is auto triggered against new dependency version.

[ntkme]

Another reason to use this is that the assumption of new minor version of dependency will not break is not safe as us humans break things all the time. Keep testing new minor version regularly is a good idea (even if we choose to not upgrade). Here is a great example on one of my project that dependabot catches a regression in dependency: buttons/github-buttons#361

[nex3]

It looks like what I want is version-strategy: increase-if-necessary, but it doesn't look like that's supported for pub for some reason. It's possible that the default dependabot config for pub will work this way, though, so I suppose we can give it a try.