github: tweak dependabot frequency

Before:

* "Dependabot Security Alerts" was enabled
* Security Alerts scans All contents, so it creates noisy PRs.

After:

* Disable "Dependabot Security Alerts".
* Check github-actions in daily and create security updates PR at
once.
* Check bundler in daily and does not create both of security update
  and normal update because it will not be intended to update by
  dependabot..

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>

Author: kenhys

Makefile

@@ -347,7 +347,7 @@ README.md: templates/README.md.erb
 		/README.md.erb > README.md
 
 .github/dependabot.yml: templates/dependabot.yml.erb
-	erb $< > $@
+	erb -T - $< > $@
 
 # Generate plugins for version
 #

templates/dependabot.yml.erb

@@ -1,20 +1,54 @@
 # AUTOMATICALLY GENERATED
 # DO NOT EDIT THIS FILE DIRECTLY, USE /templates/dependabot.yml.erb
+#
+# DISABLE "Dependabot Security Updates" because it scans past
+# archived-image directory. It creates noisy PRs. We can't stop that
+# behavior at all.
+#
 version: 2
 updates:
   # Maintain dependencies for GitHub Actions
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
-  # Watch dependencies for current stable only
-<% latest_version = Dir.glob("docker-image/*").sort_by {|version| Gem::Version.new(version.split('/').last.delete('v'))}.last %>
-<% available_gemfile_paths = Dir.glob("#{latest_version}/**/Gemfile") %>
-<% available_gemfile_paths.each do |gemfile_path| %>
-<% path = File.dirname(gemfile_path) %>
+      interval: "daily"
+    groups:
+      # PR: "Security update [package] from [old] to [new]"
+      # This PR should be merged in hurry
+      security-updates:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+      # PR: "Bump [package] from [old] to [new]"
+      # No need to be merged this PR in hurry. It is enough to merge
+      # once in a month.
+      monthly-updates:
+        applies-to: version-updates
+        patterns:
+          - "*"
+    # Allow to create PR both of security and normal updates.
+    open-pull-requests-limit: 1
+
+<%- latest_version = Dir.glob("docker-image/*").sort_by {|version| Gem::Version.new(version.split('/').last.delete('v'))}.last -%>
+<%- available_gemfile_paths = Dir.glob("#{latest_version}/**/Gemfile") -%>
+<%- available_gemfile_paths.each do |gemfile_path| -%>
+  <%- path = File.dirname(gemfile_path) %>
+  # security updates in daily, ignore normal updates
   - package-ecosystem: "bundler"
     directory: "/<%= path %>"
     schedule:
       interval: "daily"
+    groups:
+      security-updates:
+        applies-to: security-updates
+        patterns:
+          - "*"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update"]
+    # Check [Security and quality] or [Insights] > [Dependency graph]
+    # periodically It will help to know security issues in each
+    # Gemfile, but no need to create PR automatically.
     open-pull-requests-limit: 0
-<% end %>
+<%- end -%>