use github actions to auto-update dependabot branches

[lizthegrey]

we have (for good reason) "must be in sync with base" to merge, but this results in manual work when trying to merge dependabot updates.

[evantorrie]

As I understand it, dependabot will try to rebase its own PRs so long as commits from "others" have not been made to the PR.

The mod-tidier github workflow is currently configured to run only when a PR branch is labelled with "dependencies". My understanding (yet to be thoroughly vetted) is that

1. dependabot creates the PR and then labels it with "dependencies".
2. The mod-tidier github workflow will run and, if it finds any other go.sum files that need to be updated, then will perform its "auto-commit" under the auspices of the most recent committer (in this case, it would be dependabot).

Whether this counts as a commit by "other users" is something I'm yet to ascertain.

If I'm understanding the issue correctly, it may be best to wait until the next "auto-PR open" by dependabot happens, and then see what mod-tidier does with it - whether dependabot will still continue to rebase after mod-tidier runs.

[lizthegrey]

The problem is even if there isn't a conflict, it's necessary to merge. Dependabot knows how to rebase on conflict, but not if there are no conflicts.

[dmathieu]

It seems like this issue is resolved with #2997, since we now have a single PR for all dependabot upgrades.

[MrAlias]

Closed with #2997