Autobuild: Add Github Action for dependency update PRs

[hoffie]

Describe the task

We have several external dependencies which are version-locked for reproducibility and security. We should regularly check those for updates. A Github Action scheduled job (cron-style) could do that. It could automatically submit a PR with the suggested update.

• Github Actions (uses: ) Github: Enable dependabot for workflow dependencies #2778
• Pinned dependencies in the build process (aqt, Qt, JACK, jom, NSIS) CI: Check for dependency updates automatically #2777
• Android SDK/NDK/Commandlinetools)
• Check Autobuild: Refactor and add dependency pinning #2345 wrt completeness
• Submodules (liboboe)
• Add automated update to pylint (inclusion here closes Add automated update to pylint #3056)

Solutions to look into:

• dependabot
• https://github.com/apps/renovate

[ann0see]

Dependabot?

[hoffie]

Dependabot?

Yeah, might be worth a look wrt Github Actions usage. I would not expect it to catch the depds from our build scripts though, unless I'm missing something?

[ann0see]

Maybe we can set it up to do that

[hoffie]

From https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates#supported-repositories

Supported repositories
Repository contains dependency manifest file from a package ecosystem that GitHub supports: "Supported package ecosystems"

So it looks like:

• Github Actions could work.
• pip (for aqt) could work (although we would have to create and use a pipfile.lock

That'd mean that the following would require manual work (at least):

• choco
• Qt