Dependabot performing go mod vendor now-- nifty

[aegershman]

This is an unstructured github issue, feel free to close this issue whenever appropriate. I just wanted to point this out--

According to this github blog post, dependabot can now support go mod tidy + go mod vendor:

Dependabot version updates now run the go mod tidy command during every update, which helps keep your go.mod file well-organized and free of stale module versions.

If your repository vendors its dependencies with go mod vendor, Dependabot now respects that configuration during version updates. No changes to the configuration file are required.

With that said, I believe we just need to change .dependabot config to have vendor: true on gomod updates

I'll test it out sometime and can open a PR to see if it makes a difference, unless someone else wants to get to it first. It should just be a lil' change to .dependabot.yml which does this--

---
version: 2
updates:
  - package-ecosystem: gomod
    vendor: true # <-- # Raise pull requests to update vendored dependencies that are checked in to the repository
    directory: "/"
    schedule:
      interval: daily
    open-pull-requests-limit: 10

Again, feel free to close this out whenever. Just logging. Thanks 👍

[aegershman]

Quick update-- nevermind, I re-read the blog post, and it points out no changes are needed. I tested it in a fork (which will soon be deleted) (https://github.com/aegershman/compliance-masonry-venerable/pull/2/files) and sure enough, it vendors automatically. Closing.

[aegershman]

also shown here after doing (@) dependabot rebase #374