.github/dependabot.yml: disable eager updates for Go.

Given our development cycle, we'll instead do big-bang updates
after every release, to give time for all the updates to soak in
unstable.

This does _not_ disable dependabot security-critical PRs.

Signed-off-by: David Anderson <danderson@tailscale.com>

.github/dependabot.yml

@@ -2,13 +2,17 @@
 # https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
 version: 2
 updates:
-  - package-ecosystem: "gomod"
+  ## Disabled between releases. We reenable it briefly after every
-    directory: "/"
+  ## stable release, pull in all changes, and close it again so that
-    schedule:
+  ## the tree remains more stable during development and the upstream
-      interval: "daily"
+  ## changes have time to soak before the next release.
-    commit-message:
+  # - package-ecosystem: "gomod"
-      prefix: "go.mod:"
+  #   directory: "/"
-    open-pull-requests-limit: 100
+  #   schedule:
+  #     interval: "daily"
+  #   commit-message:
+  #     prefix: "go.mod:"
+  #   open-pull-requests-limit: 100
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule: