Run Dependabot on Composer Packages

[n7studios]

Summary

Configures Dependabot to create PR's and run tests when any packages (currently only Kit's WordPress Libraries) in composer.json require section have a newer version available, ensuring they remain up to date.

Dependabot PR's relating to GitHub Action packages will still skip tests, which is intentional.

Currently, manual PR's would need to be submitted to update Kit's WordPress Libraries.

Testing

Existing tests pass.

Checklist

• I have written a test and included it in this PR
• I have run all tests and they pass
• The code passes when running the PHP CodeSniffer
• Code meets WordPress Coding Standards for PHP, HTML, CSS and JS
• Security and Sanitization requirements have been followed
• I have assigned a reviewer or two to review this PR (if you're not sure who to assign, we can do this step for you)

[github-actions]

WordPress Playground

🚀 Your PR has been built and is ready for testing in WordPress Playground!

Click here to test your changes in WordPress Playground

[noelherrick]

Perhaps we might consider holding packages/PRs for a week. We've had multiple cases in the JS world where a package maintainer was compromised and because we only apply week-old changes, we were not affected.

[n7studios]

Perhaps we might consider holding packages/PRs for a week. We've had multiple cases in the JS world where a package maintainer was compromised and because we only apply week-old changes, we were not affected.

This PR would only update packages in composer.json's require section, which right now is only the Kit WordPress Libraries, which we're the maintainer of. I think daily is fine for this - it's designed to save me having to manually create PR's each time the Kit WordPress Libraries have a new release. Agree if we expand to use third party packages in the future we should update this to permit our own daily and others weekly.