We now use gobump to manage Go dependencies. gobump supports holding
back dependency updates that require newer go compiler versions than the
one specified in the project's go.mod.
Imho, this is much saner than having so many PRs for all individual
dependencies. Taken from osbuild/images.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
dependabot is an independent security scanning tool which mostly
focuses on evaluating the dependency chain. Having the dependabot.yml
file on the main branch would enable the bot to test the dependencies
daily.
