Setup dependabot for key dependencies

[BigLep]

Done Criteria

ref-fvm has dependabot configured for critical dependencies so we proactively stay updated where it matters most.

Critical dependencies to proactively update with dependabot

@rvagg (and others) will fill this in:

• wasmtime

Why Important

Some of our dependencies like wasmtime have important security fixes but also take a lot of time to upgrade because of the manual time going through all their changes and ensuring no performance regressions. Proactively being notified of new versions helps prevent getting forced into taking a bigger task at an undesired time.

In addition, there are some dependencies we control that we always want to stay current with. We likely made a change in them with the intent of bubbling up to ref-fvm. This work saves time with some automation.

User/Customer

Maintainers

Notes

1. This is taking a pragmatic approach. We're not going to blanket update all our dependencies. This will create too much noise. Instead, we'll focus on the most beneficial items (e.g., items that when released almost always involve bubbling up to ref-fvm anyways, items that are painful to get too far behind on).
2. It's intended to scope / define this issue well so @copilot can take this on.
3. Having a robust mechanism for all our dependencies is covered in Lotus has a mechanism to update dependencies lotus#12227.

[rvagg]

To be even more clear about this: the intention here is not that dependabot changes will be directly merged or even mergeable, but that they serve as notifications. wasmtime in particular is a dependency that needs a lot of care and attention to figure out the upgrade path and impact so needs human-time to review; but just being notified is a good start.

I am a little concerned that having dependabot show up may encourage future maintainers to take a relaxed attitude toward upgrades but we'll have to calibrate over time on that and hopefully we can set up institutional expectations about this.

I would love to be able to control the message that dependabot shows up with but I don't think we have much control. Can we make it do draft PRs instead or some other softer-touch signal?

Other dependencies I think it would be good to keep on top of:

Top-level Cargo.toml

• serde
• cid
• ipld-core
• multihash-codetable
• multihash-derive
• blake2b_simd
• k256
• bls-signatures
• wasmtime-environ
• unsigned-varint

In fvm/Cargo.toml:

• filecoin-proofs-api
• fvm-wasm-instrument

In sdk/Cargo.toml:

• filecoin-proofs-api

In ipld/encoding/Cargo.toml:

• serde_ipld_dagcbor
• serde_repr
• serde_tuple

[rvagg]

Let's do this check monthly so the pace of change isn't too much to be annoying.

[rvagg]

OK, now we have a draft PR @ #2194 I'm reminded that we already have a dependabot config just for wasmtime, yet we haven't had any wasmtime PRs that aren't security alerts: https://github.com/filecoin-project/ref-fvm/pulls?q=is%3Apr+dependabot (the ones listed I think are all alerts and predate the config).

I think this is because dependabot just doesn't support workspace.dependencies so this might be an impossibility for us for now: dependabot/dependabot-core#7896

[rvagg]

This will hopefully solve the dependabot problem for us if/when it gets merged, it's getting some attention so I'm hopeful this will land soon: dependabot/dependabot-core#12780