Add token to Dependabot config (#46160)

- use new `DEPENDABOT_NPM_TOKEN` token
- add a .yarnrc file enforcing our registry choice globally
  - might not be necessary now but will help if we add new `npm` projects
- remove submodule update configuration for release/3.1

nits:
- add explicit day and time for our weekly updates
- move submodule update configurations together
  - Monday is the default but configuration takes less words than previous comments

Author: dougbu

.github/dependabot.yml

@@ -1,55 +1,64 @@
 version: 2
+registries:
+  azure.com:
+    token: ${{secrets.DEPENDABOT_NPM_TOKEN}}
+    type: npm-registry
+    url: https://pkgs.dev.azure.com/
+
 updates:
-  # Keep submodules up to date in 'main'.
-  - package-ecosystem: "gitsubmodule"
+  - package-ecosystem: npm
     directory: "/"
+    # Perform only security updates of our npm dependencies.
+    open-pull-requests-limit: 0
+    registries:
+    - azure.com
+    # Schedule should be ignored for security updates.
     schedule:
-      # Weekly interval opens PRs on Monday.
-      interval: "weekly"
-    allow:
-      - dependency-type: "all"
-    commit-message:
-      prefix: "[main] "
-      include: scope
-    labels:
-      - area-infrastructure
+      interval: monthly
+
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      # Weekly interval opens PRs on Monday.
+      day: monday
       interval: "weekly"
+      time: 05:00
+      timezone: "America/Los_Angeles"
     commit-message:
       prefix: "[main] "
       include: scope
     labels:
       - area-infrastructure
 
-  # Keep submodules up to date in 'release/*' branches. (Unfortunately Dependabot security PRs can't target these.)
-  # Monthly interval opens PRs on the first of each month.
+  # Keep submodules up to date in 'main'.
   - package-ecosystem: "gitsubmodule"
     directory: "/"
     schedule:
-      interval: "monthly"
+      day: monday
+      interval: "weekly"
+      time: 05:00
+      timezone: "America/Los_Angeles"
     allow:
       - dependency-type: "all"
     commit-message:
-      prefix: "[release/2.1] "
+      prefix: "[main] "
       include: scope
     labels:
       - area-infrastructure
-    target-branch: "release/2.1"
+
+  # Keep submodules up to date in 'release/*' branches. (Unfortunately Dependabot security PRs can't target these.)
+  # Monthly interval opens PRs on the first of each month.
   - package-ecosystem: "gitsubmodule"
     directory: "/"
     schedule:
       interval: "monthly"
     allow:
       - dependency-type: "all"
     commit-message:
-      prefix: "[release/3.1] "
+      prefix: "[release/2.1] "
       include: scope
     labels:
       - area-infrastructure
-    target-branch: "release/3.1"
+    target-branch: "release/2.1"
   - package-ecosystem: "gitsubmodule"
     directory: "/"
     schedule:

.yarnrc

@@ -0,0 +1,2 @@
+# yarn lockfile v1
+registry "https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/registry/"