Investigate an optimal use for Dependabot, including:

• Should it merge its PRs automatically?
• Should it upgrade packages any time there's a version bump or only on security notices?
• What configurations are available to us that we should consider? i.e. Can its updates be bundled? Is it configurable per branch (like only update main in the community and only update release-* branches in stolostron)?