AST-145894 - Add dependabot configuration

.github/dependabot.yml

@@ -0,0 +1,37 @@
+version: 2
+
+registries:
+  github:
+    type: git
+    url: https://github.com
+    username: ${{secrets.GH_USER}}
+    password: ${{secrets.GH_TOKEN}}
+
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "(AST-87115) Dependabot (Go) "
+      include: "scope"
+    pull-request-branch-name:
+      separator: "/"
+    registries:
+      - github
+    target-branch: "main"
+    groups:
+      all-go-modules:
+        patterns:
+          - "*"
+    labels:
+      - "bot"
+      - "dependencies"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "github.com/minio/console"
+      - dependency-name: "github.com/minio/minio"
+    schedule:
+      interval: "daily"
+      time: "05:00"
+      timezone: "UTC"

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,16 @@
+name: Dependabot Auto-Merge
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+  check_suite:
+    types: [completed]
+
+jobs:
+  dependabot-auto-merge:
+    uses: Checkmarx-Containers/containers-github-actions-workflows/.github/workflows/dependabot-auto-merge.yml@main
+    with:
+      service-name: ${{ github.event.repository.name }}
+      timeout-seconds: 2700
+      auto-merge-major: true
+    secrets: inherit

.github/workflows/dependabot-rebase-conflicts.yml

@@ -0,0 +1,61 @@
+name: Dependabot Rebase Conflicts
+
+# Triggers:
+# 1. push to main   — a new commit may cause existing Dependabot PRs to conflict.
+# 2. schedule       — daily safety-net to catch anything missed by the push trigger.
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: "0 8 * * *" # 08:00 UTC, after Dependabot's daily 06:00 run
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  rebase-conflicts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Rebase conflicting Dependabot PRs
+        run: |
+          # GitHub computes mergeability asynchronously after a push — PRs may briefly
+          # show UNKNOWN before settling to CONFLICTING. We retry for up to 5 minutes
+          # to avoid false negatives on freshly-landed commits.
+          MAX_ATTEMPTS=10
+          SLEEP_SECONDS=30
+
+          for attempt in $(seq 1 $MAX_ATTEMPTS); do
+            echo "Attempt $attempt/$MAX_ATTEMPTS — checking Dependabot PR mergeability..."
+
+            pr_data=$(gh pr list \
+              --repo "$GITHUB_REPOSITORY" \
+              --author "app/dependabot" \
+              --state open \
+              --json number,title,mergeable)
+
+            unknown=$(echo "$pr_data" | jq '[.[] | select(.mergeable == "UNKNOWN")] | length')
+            conflicting=$(echo "$pr_data" | jq -r '.[] | select(.mergeable == "CONFLICTING") | .number')
+
+            if [ "$unknown" -gt 0 ] && [ "$attempt" -lt "$MAX_ATTEMPTS" ]; then
+              echo "$unknown PR(s) still have UNKNOWN mergeability — waiting ${SLEEP_SECONDS}s..."
+              sleep $SLEEP_SECONDS
+              continue
+            fi
+
+            if [ -z "$conflicting" ]; then
+              echo "No conflicting Dependabot PRs found."
+              exit 0
+            fi
+
+            for pr in $conflicting; do
+              echo "Requesting rebase of conflicting Dependabot PR #$pr"
+              gh pr comment "$pr" \
+                --repo "$GITHUB_REPOSITORY" \
+                --body "@dependabot rebase"
+            done
+            exit 0
+          done
+        env:
+          GH_TOKEN: ${{ github.token }}