Managing dependabot PRs

[dbluhm]

I recently took a stab at merging the 50+ open dependabot PRs by enabling a merge queue for the main branch. This ended up not working as hoped because the DCO check is not correctly run by the merge_group trigger.

Looking through the docs for dependabot, it would seem it is possible to group dependency update PRs into a single PR: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates#grouping-dependabot-updates-into-one-pull-request

I don't have much experience working with the dependabot config. But it seems like it would be a good idea to be able to group dev dependency updates (or at least the common ones like pytest, black, ruff, etc.) of all plugins into a single PR. Other logical groups may arise; for instance, dependencies of ACA-Py (those only indirectly depended on by the plugins themselves and so don't show up in the plugins_global config) may be another group that we would want to update across all plugins at once.

@swcurran @jamshale

[swcurran]

@WadeBarnes — do you have any experience with this? We could really use it!

[WadeBarnes]

This repo is on the list for the dependabot configuration updates we're doing. We'll take this into account when we're developing the config. I've got some ideas of how this would be done.

[jamshale]

I think this is working now. Only problem is when individual plugins fail tests. In cases when that happens we might need to do the upgrades manually, and then for the failing plugins we'd need to pin the dependency we didn't want to update.