feat: add dependabot submodule version sync

[hwei0]

Issue #, if available:
#63
Description of changes:
add dependabot to create PRs to sync submodule versions on weekly basis

Testing
see https://github.com/hwei0/iam-policy-autopilot/pulls for example PRs created

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[mschlaipfer]

We should discuss how we keep track of submodule changes. I think we need to pull changes more frequently than weekly? Ideally, we'd release automatically when we detect a delta. Also, we need to check if the changes are relevant to us. We simplify the models in

iam-policy-autopilot/iam-policy-autopilot-policy-generation/build.rs

Lines 8 to 50 in b232dc5

	/// Simplified service definition with fields removed
	#[derive(Debug, Clone, Serialize, Deserialize)]
	struct SimplifiedServiceDefinition {
	#[serde(skip_serializing_if = "Option::is_none")]
	version: Option<String>,
	metadata: ServiceMetadata,
	operations: HashMap<String, SimplifiedOperation>,
	shapes: HashMap<String, SimplifiedShape>,
	}
	/// Service metadata from AWS service definitions
	#[derive(Debug, Clone, Serialize, Deserialize)]
	struct ServiceMetadata {
	#[serde(rename = "apiVersion")]
	api_version: String,
	#[serde(rename = "serviceId")]
	service_id: String,
	}
	/// Simplified operation definition (removed fields)
	#[derive(Debug, Clone, Serialize, Deserialize)]
	struct SimplifiedOperation {
	name: String,
	#[serde(skip_serializing_if = "Option::is_none")]
	input: Option<ShapeReference>,
	}
	/// Simplified shape definition (removed fields)
	#[derive(Debug, Clone, Serialize, Deserialize)]
	struct SimplifiedShape {
	#[serde(rename = "type")]
	type_name: String,
	#[serde(default, skip_serializing_if = "HashMap::is_empty")]
	members: HashMap<String, ShapeReference>,
	#[serde(skip_serializing_if = "Option::is_none")]
	required: Option<Vec<String>>,
	}
	/// Shape reference (removed fields)
	#[derive(Debug, Clone, Serialize, Deserialize)]
	struct ShapeReference {
	shape: String,
	}

, everything outside of that data (say a change to a documentation string) is not relevant to IPA. CC @ravi-natarajan

[weibenz1]

everything outside of that data (say a change to a documentation string) is not relevant to IPA

I agree with this, but I also find syncing the commits for e.g. doc-only updates not harmful. Is there a specific use for knowing the exact change (maybe part of our release changelog)?

[weibenz1]

anyway to look for new tags/new releases? not sure if replicating head commit is a good practice - we might accidentally take in bad commits etc.

[hwei0]

This doesn't seem to be supported by dependabot natively, although they are tracking it as an unresolved issue: dependabot/dependabot-core#1639

I think if we want to do any customization (eg do it on triggered basis, only track specific directories in the boto3/botocore dependencies, track specific release tags) then we will need to find another 3rd party bot/action or make our own action. E.g. https://docs.renovatebot.com/modules/manager/git-submodules/ seems like a decent 3p alternative

[weibenz1]

yeah, action will offer more customizability. the part taking time would be to setup a bot account and let it create a PR, but there might be actions already automated this