dependabot: use directories and use docker ecosystem

[v1v]

What does this pull request do?

Use dependabot for updating docker images stored in our internal docker registry using this.

Use directories to manage the dependencies for the GitHub workflow sand composite actions.

Why

We already have secrets stored for accessing the internal docker registry. Use one dependency management tool with native support for GitHub actions and the GH secrets access control.

This has been already tested in the past in a sandbox repository and also in another GH internal repositories.

Actions

• Create Dependabot GitHub secret using CasC.

Related issues

Done also in elastic/apm-agent-nodejs#4539

[xrmx]

Would it be possible to configure dependabot to just bump patch releases for a specified image?

[v1v]

Would it be possible to configure dependabot to just bump patch releases for a specified image?

I have not used that much, but I think you can use some configuration from https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#allow--

In addition, dependabot supports some commands

@dependabot show ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

I asked GitHub copilate and it says

You can restrict updates to only new patches by adding an "allow" section with an "update-types" filter for semantic patch updates. For example, if you modify the docker updates block in the dependabot.yml file as follows, Dependabot will only create pull requests for patch updates:

...
  - package-ecosystem: "docker"
    directories:
      - '/'
    reviewers:
      - "elastic/apm-agent-python"
    registries: "*"
    schedule:
      interval: "daily"
    allow:
      - dependency-name: "*"
        update-types:
          - version-update:semver-patch

This configuration tells Dependabot to only allow updates that are considered patch-level changes. See dependabot.yml configuration options for more details.

I could also be done the other way around:

    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-minor", "version-update:semver-major"]

according to https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--