.github: replace dependabot with deps workflow (#277)

Dependabot ignores updates to Go modules that do not have semantic version
tags. See: https://github.com/dependabot/dependabot-core/issues/3017.

Therefore, this change replaces dependabot with a custom workflow with
upgrades Go dependencies using `go get -u ./...` and creates a PR. This PR
will be auto-merged using the existing logic for cadobot-generated PRs.

.github/workflows/deps.yml

@@ -0,0 +1,40 @@
+name: deps
+permissions:
+  contents: read
+on:
+  schedule:
+    - cron: "22 5 * * 1"
+jobs:
+  upgrade:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3
+        with:
+          go-version: 1.18.x
+      - name: Checkout code
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
+        with:
+          persist-credentials: false
+      - name: Upgrade Modules
+        run: go get -u ./...
+      - name: Tidy
+        run: go mod tidy
+      - name: Diff
+        run: git diff
+      - name: Generate Bot Token
+        uses: tibdex/github-app-token@586e1a624db6a5a4ac2c53daeeded60c5e3d50fe # v1.5.2
+        id: bot
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@bd72e1b7922d417764d27d30768117ad7da78a0e # v4.0.2
+        with:
+          token: ${{ steps.bot.outputs.token }}
+          commit-message: "all: upgrade direct dependencies"
+          branch: auto-upgrade-deps
+          base: master
+          delete-branch: true
+          title: "all: upgrade direct dependencies"
+          body: "Auto-generated upgrade of module dependencies."