dependabot configuration

[faddat]

This PR configures dependabot for github actions, go, and cargo.

Likely a PR or two using github actions upcoming, might as well automatically maintain that too.

[faddat]

@webmaster128 bump sir. It is a good idea to keep things up to date.

[faddat]

Really, it's good to keep things up to date.

[chipshort]

Libraries should specify the minimum semver-compatible dependency version, not the latest one, so the applications using the library can decide for themselves.
We also should not just update rust dependencies in here willy-nilly. Ideally, we should keep the versions synchronized between this repo and the cosmwasm repo. Otherwise, our huge test suite in cosmwasm runs against different dependency versions than what we actually deploy. Updates aren't always good. They can break stuff.

In general, I'm also not a big fan of dependabot. It creates dozens of small PRs that just become a nuisance. I can see us merging the github-actions part, since that shouldn't be too many PR.

[faddat]

The versions aren't synchronized, which is the reason for

• update contracts to v2.2.0 #592

But to ensure I understand you correctly: you wish to ensure that dependencies in this repository use the exact same versions as dependencies in cosmwasm?

[chipshort]

Yes. To be extra clear, the versions I want to keep in sync are the ones in libwasmvm/Cargo.lock. Those should be the same as the ones in https://github.com/CosmWasm/cosmwasm/blob/main/Cargo.lock (or the lock file of version of cosmwasm we are using in libwasmvm, since we are not necessarily always using cosmwasm's main branch).
The PR you linked is about something completely different.

This is currently done by running cargo update manually in both at the same time.

[faddat]

oh great! I'll make prs for both!

[faddat]

once this PR is accepted:

CosmWasm/cosmwasm#2451

I will work on this PR again and get it all set :)