enable dependabot

[braingram]

This PR adds a dependabot configuration file which should also enable dependabot to run on this repo.

The configuration file contains sections to keep both github actions versions up-to-date and upper pins for python dependencies (via pip) up-to-date.

I don't have access to the repository settings and I'm not sure if dependabot is enabled there as I found one old PR for jwst from dependabot:
#6092

However it appears that at least the github actions are not being checked as an older version (3) of the checkout action is in use:

jwst/.github/workflows/publish-to-pypi.yml

Line 12 in 5c5b968

- uses: actions/checkout@v3

For an example of what to expect from dependabot PRs, here is the PR for asdf opened by dependabot to update the checkout action in that repository:
asdf-format/asdf#1639

Checklist for maintainers

• added entry in CHANGES.rst within the relevant release section
• updated or added relevant tests
• updated relevant documentation
• added relevant milestone
• added relevant label(s)
• ran regression tests, post a link to the Jenkins job below.
  How to run regression tests on a PR
• Make sure the JIRA ticket is resolved properly

[codecov]

Codecov Report

All modified lines are covered by tests ✅

📢 Thoughts on this report? Let us know!.

[zacharyburnett]

this looks great, thanks! I'm assuming the dependabot PRs ping the codeowners by default, but to keep @hbushouse from being spammed by PRs all the time, is there a way to make it ping me in addition / instead?

[braingram]

Thanks for taking a look and good idea!

I think this should do it: ce3748f

I added you as one of the reviewers. There is another option for assignees but reviewers seemed like a better fit. I've never used either option so we may just have to wait and see what the first PR looks like and adjust as needed.