[PATCH v1 1/1] .github/dependabot.yml: Enable dependabot

[PATCH v1 1/1] .github/dependabot.yml: Enable dependabot

[Michael Kubacki]

From: Michael Kubacki <michael.kubacki@microsoft.com>

Enables dependabot in this repo so we can better alerted when
dependency updates are available.

This GitHub action will automatically create pull requests and
summarize the dependency details. Because it is a pull request,
the CI system will validate the dependency update in the pull
request.

Configures dependabot for:

1. PIP module updates
2. Submodule updates
3. GitHub action updates

The maintainers/reviewers of the .github directory were added as
pull request reviewers so they can be notified when the pull request
is available.

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---

Notes:
    An example of the pull requests created by this change
    are available on my edk2 fork:
    
    https://github.com/makubacki/edk2/pulls

 .github/dependabot.yml | 45 ++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000000..7f405721fd3d
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,45 @@
+## @file
+# Dependabot configuration file to enable GitHub services for managing and updating
+# dependencies.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+##
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "pip"
+    reviewers:
+      - "makubacki"
+      - "mdkinney"
+      - "spbrogan"
+
+  - package-ecosystem: "gitsubmodule"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "submodule"
+    reviewers:
+      - "makubacki"
+      - "mdkinney"
+      - "spbrogan"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    commit-message:
+      prefix: "GitHub Action"
+    reviewers:
+      - "makubacki"
+      - "mdkinney"
+      - "spbrogan"
-- 
2.28.0.windows.1

Re: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot

[Michael D Kinney]

Hi Michael,

Thanks.  This feature is really useful to help keep our dependencies up to date.

For the EDK II Development Process, the PRs produced by dependabot would only
be informative and would never be merged directly.  How do we mark these PRs
so they are never merged directly with a "push" label?

The EDK II Maintainers can monitor these PRs and when there is something that
needs to be updated, a developer can produce patches and send reviews 
with required Signed-off-by and Reviewed-by tags in the commit message.

Thanks,

Mike

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Michael Kubacki
> Sent: Thursday, November 10, 2022 5:47 AM
> To: devel@edk2.groups.io
> Cc: Sean Brogan <sean.brogan@microsoft.com>; Kinney, Michael D <michael.d.kinney@intel.com>
> Subject: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot
> 
> From: Michael Kubacki <michael.kubacki@microsoft.com>
> 
> Enables dependabot in this repo so we can better alerted when
> dependency updates are available.
> 
> This GitHub action will automatically create pull requests and
> summarize the dependency details. Because it is a pull request,
> the CI system will validate the dependency update in the pull
> request.
> 
> Configures dependabot for:
> 
> 1. PIP module updates
> 2. Submodule updates
> 3. GitHub action updates
> 
> The maintainers/reviewers of the .github directory were added as
> pull request reviewers so they can be notified when the pull request
> is available.
> 
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
> ---
> 
> Notes:
>     An example of the pull requests created by this change
>     are available on my edk2 fork:
> 
>     https://github.com/makubacki/edk2/pulls
> 
>  .github/dependabot.yml | 45 ++++++++++++++++++++
>  1 file changed, 45 insertions(+)
> 
> diff --git a/.github/dependabot.yml b/.github/dependabot.yml
> new file mode 100644
> index 000000000000..7f405721fd3d
> --- /dev/null
> +++ b/.github/dependabot.yml
> @@ -0,0 +1,45 @@
> +## @file
> +# Dependabot configuration file to enable GitHub services for managing and updating
> +# dependencies.
> +#
> +# Copyright (c) Microsoft Corporation.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +# Please see the documentation for all configuration options:
> +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
> +##
> +version: 2
> +updates:
> +  - package-ecosystem: "pip"
> +    directory: "/"
> +    schedule:
> +      interval: "daily"
> +    commit-message:
> +      prefix: "pip"
> +    reviewers:
> +      - "makubacki"
> +      - "mdkinney"
> +      - "spbrogan"
> +
> +  - package-ecosystem: "gitsubmodule"
> +    directory: "/"
> +    schedule:
> +      interval: "daily"
> +    commit-message:
> +      prefix: "submodule"
> +    reviewers:
> +      - "makubacki"
> +      - "mdkinney"
> +      - "spbrogan"
> +
> +  - package-ecosystem: "github-actions"
> +    directory: "/"
> +    schedule:
> +      interval: "weekly"
> +      day: "monday"
> +    commit-message:
> +      prefix: "GitHub Action"
> +    reviewers:
> +      - "makubacki"
> +      - "mdkinney"
> +      - "spbrogan"
> --
> 2.28.0.windows.1
> 
> 
> 
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#96187): https://edk2.groups.io/g/devel/message/96187
> Mute This Topic: https://groups.io/mt/94935824/1643496
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [michael.d.kinney@intel.com]
> -=-=-=-=-=-=
> 

Re: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot

[Michael Kubacki]

Hi Mike,

One thing that comes to mind, is I can have the PR from dependabot 
automatically have a label added (e.g. "do-not-merge") and then update 
the mergify configuration to prevent merging of PRs with that label.

I can also have a comment automatically added to the PR that explains it 
is only for reference.

I made this changes on my fork in the following commits. What do you think?

- Branch: https://github.com/makubacki/edk2/commits/enable_dependabot
- Commit 1: 
https://github.com/makubacki/edk2/commit/7c8331885a9e052084cfdb5d40c845a0efd77248
- Commit 2: 
https://github.com/makubacki/edk2/commit/48be17075903cfc5278fd9bb031b965954d15bbb

Thanks,
Michael

On 11/10/2022 11:44 AM, Michael D Kinney wrote:
> Hi Michael,
> 
> Thanks.  This feature is really useful to help keep our dependencies up to date.
> 
> For the EDK II Development Process, the PRs produced by dependabot would only
> be informative and would never be merged directly.  How do we mark these PRs
> so they are never merged directly with a "push" label?
> 
> The EDK II Maintainers can monitor these PRs and when there is something that
> needs to be updated, a developer can produce patches and send reviews
> with required Signed-off-by and Reviewed-by tags in the commit message.
> 
> Thanks,
> 
> Mike
> 
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Michael Kubacki
>> Sent: Thursday, November 10, 2022 5:47 AM
>> To: devel@edk2.groups.io
>> Cc: Sean Brogan <sean.brogan@microsoft.com>; Kinney, Michael D <michael.d.kinney@intel.com>
>> Subject: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot
>>
>> From: Michael Kubacki <michael.kubacki@microsoft.com>
>>
>> Enables dependabot in this repo so we can better alerted when
>> dependency updates are available.
>>
>> This GitHub action will automatically create pull requests and
>> summarize the dependency details. Because it is a pull request,
>> the CI system will validate the dependency update in the pull
>> request.
>>
>> Configures dependabot for:
>>
>> 1. PIP module updates
>> 2. Submodule updates
>> 3. GitHub action updates
>>
>> The maintainers/reviewers of the .github directory were added as
>> pull request reviewers so they can be notified when the pull request
>> is available.
>>
>> Cc: Sean Brogan <sean.brogan@microsoft.com>
>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
>> ---
>>
>> Notes:
>>      An example of the pull requests created by this change
>>      are available on my edk2 fork:
>>
>>      https://github.com/makubacki/edk2/pulls
>>
>>   .github/dependabot.yml | 45 ++++++++++++++++++++
>>   1 file changed, 45 insertions(+)
>>
>> diff --git a/.github/dependabot.yml b/.github/dependabot.yml
>> new file mode 100644
>> index 000000000000..7f405721fd3d
>> --- /dev/null
>> +++ b/.github/dependabot.yml
>> @@ -0,0 +1,45 @@
>> +## @file
>> +# Dependabot configuration file to enable GitHub services for managing and updating
>> +# dependencies.
>> +#
>> +# Copyright (c) Microsoft Corporation.
>> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>> +#
>> +# Please see the documentation for all configuration options:
>> +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
>> +##
>> +version: 2
>> +updates:
>> +  - package-ecosystem: "pip"
>> +    directory: "/"
>> +    schedule:
>> +      interval: "daily"
>> +    commit-message:
>> +      prefix: "pip"
>> +    reviewers:
>> +      - "makubacki"
>> +      - "mdkinney"
>> +      - "spbrogan"
>> +
>> +  - package-ecosystem: "gitsubmodule"
>> +    directory: "/"
>> +    schedule:
>> +      interval: "daily"
>> +    commit-message:
>> +      prefix: "submodule"
>> +    reviewers:
>> +      - "makubacki"
>> +      - "mdkinney"
>> +      - "spbrogan"
>> +
>> +  - package-ecosystem: "github-actions"
>> +    directory: "/"
>> +    schedule:
>> +      interval: "weekly"
>> +      day: "monday"
>> +    commit-message:
>> +      prefix: "GitHub Action"
>> +    reviewers:
>> +      - "makubacki"
>> +      - "mdkinney"
>> +      - "spbrogan"
>> --
>> 2.28.0.windows.1
>>
>>
>>
>> -=-=-=-=-=-=
>> Groups.io Links: You receive all messages sent to this group.
>> View/Reply Online (#96187): https://edk2.groups.io/g/devel/message/96187
>> Mute This Topic: https://groups.io/mt/94935824/1643496
>> Group Owner: devel+owner@edk2.groups.io
>> Unsubscribe: https://edk2.groups.io/g/devel/unsub [michael.d.kinney@intel.com]
>> -=-=-=-=-=-=
>>
> 
> 
> 
> 
> 
> 

Re: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot

[Michael D Kinney]

Hi Michael,

This is a good idea to use a label.

Can dependabot PRs be marked as "Draft" PRs?  May be another way to prevent.

Also, can a comment to the PR be done from the dependabot action?
My experience with mergify is that less logic is easier to maintain.

Thanks,

Mike

> -----Original Message-----
> From: Michael Kubacki <michael.kubacki@outlook.com>
> Sent: Thursday, November 10, 2022 11:53 AM
> To: devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>; mikuback@linux.microsoft.com
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Subject: Re: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot
> 
> Hi Mike,
> 
> One thing that comes to mind, is I can have the PR from dependabot
> automatically have a label added (e.g. "do-not-merge") and then update
> the mergify configuration to prevent merging of PRs with that label.
> 
> I can also have a comment automatically added to the PR that explains it
> is only for reference.
> 
> I made this changes on my fork in the following commits. What do you think?
> 
> - Branch: https://github.com/makubacki/edk2/commits/enable_dependabot
> - Commit 1:
> https://github.com/makubacki/edk2/commit/7c8331885a9e052084cfdb5d40c845a0efd77248
> - Commit 2:
> https://github.com/makubacki/edk2/commit/48be17075903cfc5278fd9bb031b965954d15bbb
> 
> Thanks,
> Michael
> 
> On 11/10/2022 11:44 AM, Michael D Kinney wrote:
> > Hi Michael,
> >
> > Thanks.  This feature is really useful to help keep our dependencies up to date.
> >
> > For the EDK II Development Process, the PRs produced by dependabot would only
> > be informative and would never be merged directly.  How do we mark these PRs
> > so they are never merged directly with a "push" label?
> >
> > The EDK II Maintainers can monitor these PRs and when there is something that
> > needs to be updated, a developer can produce patches and send reviews
> > with required Signed-off-by and Reviewed-by tags in the commit message.
> >
> > Thanks,
> >
> > Mike
> >
> >> -----Original Message-----
> >> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Michael Kubacki
> >> Sent: Thursday, November 10, 2022 5:47 AM
> >> To: devel@edk2.groups.io
> >> Cc: Sean Brogan <sean.brogan@microsoft.com>; Kinney, Michael D <michael.d.kinney@intel.com>
> >> Subject: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot
> >>
> >> From: Michael Kubacki <michael.kubacki@microsoft.com>
> >>
> >> Enables dependabot in this repo so we can better alerted when
> >> dependency updates are available.
> >>
> >> This GitHub action will automatically create pull requests and
> >> summarize the dependency details. Because it is a pull request,
> >> the CI system will validate the dependency update in the pull
> >> request.
> >>
> >> Configures dependabot for:
> >>
> >> 1. PIP module updates
> >> 2. Submodule updates
> >> 3. GitHub action updates
> >>
> >> The maintainers/reviewers of the .github directory were added as
> >> pull request reviewers so they can be notified when the pull request
> >> is available.
> >>
> >> Cc: Sean Brogan <sean.brogan@microsoft.com>
> >> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> >> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
> >> ---
> >>
> >> Notes:
> >>      An example of the pull requests created by this change
> >>      are available on my edk2 fork:
> >>
> >>      https://github.com/makubacki/edk2/pulls
> >>
> >>   .github/dependabot.yml | 45 ++++++++++++++++++++
> >>   1 file changed, 45 insertions(+)
> >>
> >> diff --git a/.github/dependabot.yml b/.github/dependabot.yml
> >> new file mode 100644
> >> index 000000000000..7f405721fd3d
> >> --- /dev/null
> >> +++ b/.github/dependabot.yml
> >> @@ -0,0 +1,45 @@
> >> +## @file
> >> +# Dependabot configuration file to enable GitHub services for managing and updating
> >> +# dependencies.
> >> +#
> >> +# Copyright (c) Microsoft Corporation.
> >> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> >> +#
> >> +# Please see the documentation for all configuration options:
> >> +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
> >> +##
> >> +version: 2
> >> +updates:
> >> +  - package-ecosystem: "pip"
> >> +    directory: "/"
> >> +    schedule:
> >> +      interval: "daily"
> >> +    commit-message:
> >> +      prefix: "pip"
> >> +    reviewers:
> >> +      - "makubacki"
> >> +      - "mdkinney"
> >> +      - "spbrogan"
> >> +
> >> +  - package-ecosystem: "gitsubmodule"
> >> +    directory: "/"
> >> +    schedule:
> >> +      interval: "daily"
> >> +    commit-message:
> >> +      prefix: "submodule"
> >> +    reviewers:
> >> +      - "makubacki"
> >> +      - "mdkinney"
> >> +      - "spbrogan"
> >> +
> >> +  - package-ecosystem: "github-actions"
> >> +    directory: "/"
> >> +    schedule:
> >> +      interval: "weekly"
> >> +      day: "monday"
> >> +    commit-message:
> >> +      prefix: "GitHub Action"
> >> +    reviewers:
> >> +      - "makubacki"
> >> +      - "mdkinney"
> >> +      - "spbrogan"
> >> --
> >> 2.28.0.windows.1
> >>
> >>
> >>
> >> -=-=-=-=-=-=
> >> Groups.io Links: You receive all messages sent to this group.
> >> View/Reply Online (#96187): https://edk2.groups.io/g/devel/message/96187
> >> Mute This Topic: https://groups.io/mt/94935824/1643496
> >> Group Owner: devel+owner@edk2.groups.io
> >> Unsubscribe: https://edk2.groups.io/g/devel/unsub [michael.d.kinney@intel.com]
> >> -=-=-=-=-=-=
> >>
> >
> >
> >
> > 
> >
> >

Re: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot

[Michael Kubacki]

[-- Attachment #1: Type: text/plain, Size: 574 bytes --]

Hi Mike,

It looks like the ability to open draft PRs is not possible at the moment:
Configure dependabot to create draft PRs · Issue #1291 · dependabot/dependabot-core · GitHub ( https://github.com/dependabot/dependabot-core/issues/1291 )

I could not find an ability for dependabot to leave that comment. Though I intentionally tried to keep it very similar in the mergify config file to the merge conflict comment action to reduce complexity.

Thanks for the feedback. Please let me know, if we can proceed with v2 based on these changes.

Regards,
Michael

[-- Attachment #2: Type: text/html, Size: 642 bytes --]

Re: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot

[Michael D Kinney]

[-- Attachment #1: Type: text/plain, Size: 2295 bytes --]

Hi Michael,

Thanks for the quick investigation.  I have reviewed some of the PRs generated in your fork by dependabot.  The detailed information it collects and adds to the PR is really good.

I do notice that some dependencies (such as cmocka) are picking up the wrong content.  I think this is an issue with the cmocka mirror that needs to be fixed.  We need to review all the dependencies in edk2 repo and make sure all those dependencies are compatible with dependabot before activating it.

Given that any developer can submit a PR to run EDK II CI, perhaps we do not need to treat dependabot any different.  Just keep its default labels and do not add a do-not-merge label or special comments from mergify.

Instead, we can depend on EDK II Maintainers to periodically monitor dependabot PRs and if there is one edk2 should pick up, the EDK II Maintainer that owns the package with the dependency can pull the dependebot PR into their fork and update the commit message with Signed-off-by and Cc tags for EDK II review and resubmit the PR and send email patch reviews.  If you think this process is reasonable, then we can update the EDK II Development Process for this case for Maintainers.

I think this means your V1 is closer to what we need.

I recommend you bring this topic along with Maintainer process options and know edk2 dependabot compatibility issues to the TianoCore Tools/CI meeting.

Thanks,

Mike

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Michael Kubacki
Sent: Friday, November 11, 2022 7:30 AM
To: Kinney, Michael D <michael.d.kinney@intel.com>; devel@edk2.groups.io
Subject: Re: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot

Hi Mike,

It looks like the ability to open draft PRs is not possible at the moment:
Configure dependabot to create draft PRs · Issue #1291 · dependabot/dependabot-core · GitHub<https://github.com/dependabot/dependabot-core/issues/1291>

I could not find an ability for dependabot to leave that comment. Though I intentionally tried to keep it very similar in the mergify config file to the merge conflict comment action to reduce complexity.

Thanks for the feedback. Please let me know, if we can proceed with v2 based on these changes.

Regards,
Michael


[-- Attachment #2: Type: text/html, Size: 43890 bytes --]

Re: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot

[Michael Kubacki]

I think that process is reasonable and we can discuss further in the 
upcoming Tools & CI meeting.

For now, I will leave the v1 patch on the mailing list and keep those 
other commits up for reference.

Thanks,
Michael

On 11/11/2022 1:44 PM, Michael D Kinney wrote:
> Hi Michael,
> 
> Thanks for the quick investigation.I have reviewed some of the PRs 
> generated in your fork by dependabot.The detailed information it 
> collects and adds to the PR is really good.
> 
> I do notice that some dependencies (such as cmocka) are picking up the 
> wrong content.I think this is an issue with the cmocka mirror that needs 
> to be fixed.We need to review all the dependencies in edk2 repo and make 
> sure all those dependencies are compatible with dependabot before 
> activating it.
> 
> Given that any developer can submit a PR to run EDK II CI, perhaps we do 
> not need to treat dependabot any different.Just keep its default labels 
> and do not add a do-not-merge label or special comments from mergify.
> 
> Instead, we can depend on EDK II Maintainers to periodically monitor 
> dependabot PRs and if there is one edk2 should pick up, the EDK II 
> Maintainer that owns the package with the dependency can pull the 
> dependebot PR into their fork and update the commit message with 
> Signed-off-by and Cc tags for EDK II review and resubmit the PR and send 
> email patch reviews.If you think this process is reasonable, then we can 
> update the EDK II Development Process for this case for Maintainers.
> 
> I think this means your V1 is closer to what we need.
> 
> I recommend you bring this topic along with Maintainer process options 
> and know edk2 dependabot compatibility issues to the TianoCore Tools/CI 
> meeting.
> 
> Thanks,
> 
> Mike
> 
> *From:*devel@edk2.groups.io <devel@edk2.groups.io> *On Behalf Of 
> *Michael Kubacki
> *Sent:* Friday, November 11, 2022 7:30 AM
> *To:* Kinney, Michael D <michael.d.kinney@intel.com>; devel@edk2.groups.io
> *Subject:* Re: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: 
> Enable dependabot
> 
> Hi Mike,
> 
> It looks like the ability to open draft PRs is not possible at the moment:
> Configure dependabot to create draft PRs · Issue #1291 · 
> dependabot/dependabot-core · GitHub 
> <https://github.com/dependabot/dependabot-core/issues/1291>
> 
> I could not find an ability for dependabot to leave that comment. Though 
> I intentionally tried to keep it very similar in the mergify config file 
> to the merge conflict comment action to reduce complexity.
> 
> Thanks for the feedback. Please let me know, if we can proceed with v2 
> based on these changes.
> 
> Regards,
> Michael
> 
> 

Re: [edk2-devel] [PATCH v1 1/1] .github/dependabot.yml: Enable dependabot

[Sean]

Reviewed-by: Sean Brogan <sean.brogan@microsoft.com>



On 11/10/2022 5:46 AM, Michael Kubacki wrote:
> From: Michael Kubacki <michael.kubacki@microsoft.com>
>
> Enables dependabot in this repo so we can better alerted when
> dependency updates are available.
>
> This GitHub action will automatically create pull requests and
> summarize the dependency details. Because it is a pull request,
> the CI system will validate the dependency update in the pull
> request.
>
> Configures dependabot for:
>
> 1. PIP module updates
> 2. Submodule updates
> 3. GitHub action updates
>
> The maintainers/reviewers of the .github directory were added as
> pull request reviewers so they can be notified when the pull request
> is available.
>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
> ---
>
> Notes:
>      An example of the pull requests created by this change
>      are available on my edk2 fork:
>      
>      https://github.com/makubacki/edk2/pulls
>
>   .github/dependabot.yml | 45 ++++++++++++++++++++
>   1 file changed, 45 insertions(+)
>
> diff --git a/.github/dependabot.yml b/.github/dependabot.yml
> new file mode 100644
> index 000000000000..7f405721fd3d
> --- /dev/null
> +++ b/.github/dependabot.yml
> @@ -0,0 +1,45 @@
> +## @file
> +# Dependabot configuration file to enable GitHub services for managing and updating
> +# dependencies.
> +#
> +# Copyright (c) Microsoft Corporation.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +# Please see the documentation for all configuration options:
> +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
> +##
> +version: 2
> +updates:
> +  - package-ecosystem: "pip"
> +    directory: "/"
> +    schedule:
> +      interval: "daily"
> +    commit-message:
> +      prefix: "pip"
> +    reviewers:
> +      - "makubacki"
> +      - "mdkinney"
> +      - "spbrogan"
> +
> +  - package-ecosystem: "gitsubmodule"
> +    directory: "/"
> +    schedule:
> +      interval: "daily"
> +    commit-message:
> +      prefix: "submodule"
> +    reviewers:
> +      - "makubacki"
> +      - "mdkinney"
> +      - "spbrogan"
> +
> +  - package-ecosystem: "github-actions"
> +    directory: "/"
> +    schedule:
> +      interval: "weekly"
> +      day: "monday"
> +    commit-message:
> +      prefix: "GitHub Action"
> +    reviewers:
> +      - "makubacki"
> +      - "mdkinney"
> +      - "spbrogan"