chore: update github actions monthly with dependabot

[jlosito]

This change will use dependabot to check for updates to any of the GitHub actions this project uses and submit pull requests with version bumps.

[michaelnchin]

Thank you for the contribution, @jlosito. I'm not certain of our general stance regarding automated changes, but this seems like a useful change to keep us informed about available updates.

I have one concern - by default, Dependabot opens individual pull requests for every new dependency update it detects. This could potentially end up spamming the repository with new PRs every time the monthly check occurs.

To prevent this, can we make use of the Grouped Version Updates feature? This would allow Dependabot to roll multiple changes into the same PR to keep things cleaner, and prevent possible conflicts when co-dependent packages each have pending updates.

For example:

version: 2
updates:
 - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
    groups:
      actions-dependencies:
        patterns:
          - "*"

We may also want to enhance this to suggest updates for the main project.

- package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "monthly"
    groups:
      prod-dependencies:
        dependency-type: "production"
      dev-dependencies:
        dependency-type: "development"

[3coins]

@efriis
Any concern on adding dependabot alerts to the repo here? Noticed that langchain had attempted this at some point, but discarded now.
https://github.com/langchain-ai/langchain/actions/workflows/dependabot/dependabot-updates

[3coins]

Should we change to weekly? Also, this seem to only include updates to Github Actions, should we also add pip, so it can cover python packages?

[efriis]

I believe it might be better to configure in the security tab at the top without doing in a github action. I believe this posts security issues live. This is how we do them in the langchain monorepo

But this likely works too, and no issues with doing in a workflow!

[jlosito]

@3coins I had opened a similar change for the core lib. Right now it's in draft mode though because I haven't verified that all of the tests pass.

langchain-ai/langchain#29554

[3coins]

@jlosito
I concur with suggestions from @michaelnchin. Would you be able to make these updates. The pip workflow seems a bit more involved, so we need some deep dive into that, but we can start with github-actions at the moment.

version: 2
updates:
 - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      actions-dependencies:
        patterns:
          - "*"

[3coins]

@3coins I had opened a similar change for the core lib. Right now it's in draft mode though because I haven't verified that all of the tests pass.

langchain-ai/langchain#29554

Someone from LangChain team would be able to review that, but based on info from @efriis, it seems like the langchain monorepo is handling this from the settings panel.

[efriis]

closed the monorepo one - yes to be clear we access them by enabling these settings (linking the langchain-aws one for convenience)