Proposal for using the latest dependabot-core version

[MarvinJWendt]

Hi, I noticed that the dependabot-core version, used in the Dockerfile, is a little out of date:

dependabot-script/Dockerfile

Line 1 in 8dceecf

FROM dependabot/dependabot-core:0.209.0

We currently have an issue with our Azure Pipeline in a monorepo. The fix for that issue (dependabot/dependabot-core#5983) was just pushed and is available in the latest tag of dependabot-core.

At the moment, this repo requires manual updates of the base image used. I propose that latest is used instead, so that updates are automatically included in new image builds.

Feedback is appreciated :)

[lorengordon]

Dependabot-core releases pretty darn frequently, and this project already uses dependabot itself. PR for the current release is here: #871...

I wonder if anyone has looked at setting up an automatic merge workflow for at least some dependabot PRs, for this project?

[jeffwidman]

We revamped our deploy workflow a few months ago so that we typically deploy a dependabot-core PR to the GitHub.com native service before we merge back to main... this results in a safer experience because we can immediately revert the deploy w/o having to revert the full deploy merge.

It also means we went from release/deploy once or twice a week to deploying multiple times a day. Unfortunately, the byproduct was we stopped cutting releases as frequently.

We've got an open item internally on our roadmap to automate cutting releases such that it happens on a regular cadence (daily or weekly or monthly) so that others aren't left behind... but it'll be a little bit til we get the bandwidth to do that.

Once that's complete, then we can look towards what the best fix is to keep this up to date.