The secret-free Dependabot path stubbed every secret as "stub", which
trips provider config validation: hcloud wants a 64-char token and
Grafana wants fleet_management_auth as username:password. So the tofu
plan check went red on every Dependabot PR and I'd merge past it after
checking locally.
Generate stubs that pass the format checks instead - 64 chars for
tokens, stub:stub for *_auth keys. Verified locally: validate fails
with the old stubs (both errors reproduced) and passes with these.
* chore: add dependabot config
Add Dependabot for the three supported ecosystems in this repo:
GitHub Actions, Terraform (root + grafana/hetzner/pagerduty modules),
and Docker (service compose files + dotfile Dockerfiles). Weekly
schedule with per-ecosystem grouping to keep PR noise down.
* ci: make terraform validation work on dependabot PRs
Dependabot PRs run with no access to repository secrets and a read-only
token, so the SOPS decrypt step (and the PR-comment step) fail. Give
Dependabot a secret-free path: stub the secrets.yaml keys it reads and
run init -backend=false + validate, skipping decrypt/plan/comment. Human
PRs are unchanged and still get a full plan.