[DON'T MERGE] [dependabot] Put SQL db driver libraries into dependabot.yml

[mykola-elastic]

Proposed commit message

See title

The libraries used by SQL-related modules are added:

• "github.com/go-sql-driver/mysql" (MySQL)
• "github.com/microsoft/go-mssqldb" (Microsoft SQL Server)
• "github.com/lib/pq" (Postgres)
• "github.com/godror/godror" (Oracle)

Opened pull request limit increased 2 -> 3

Libraries added to one group "sql-libraries"

These are the main libraries for the following modules:

• x-pack/metricbeat/module/sql (uses all four of them)
• metricbeat/module/mysql
• metricbeat/module/postgresql
• x-pack/metricbeat/module/oracle
• x-pack/metricbeat/module/mssql

Also the go-mssqldb is mentioned in the consul module (probably copy-paste mistake):

• metricbeat/module/consul

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @mykola-elastic? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[mykola-elastic]

oh, reviewers option is being removed in favor of CODEOWNERS file, which means that we wouldn't able to assign ourselves to review specific dependencies...
links:

• https://github.blog/changelog/2025-04-29-dependabot-reviewers-configuration-option-being-replaced-by-code-owners/
• ci: move from dependabot reviewers to CODEOWNERS #45084

[shmsr]

oh, reviewers option is being removed in favor of CODEOWNERS file, which means that we wouldn't able to assign ourselves to review specific dependencies... links:

• https://github.blog/changelog/2025-04-29-dependabot-reviewers-configuration-option-being-replaced-by-code-owners/
• ci: move from dependabot reviewers to CODEOWNERS #45084

@mykola-elastic I am thinking of running a small bot on our machines/server like Andrew does (I believe he wrote a program) to label PRs (you might have seen in integrations repo). Like a webhook server listening to events and at the creation of each PR, if it's a Dependabot one, based on the dependency, we can add label i.e., our team's label. Also, this is doable with GitHub Actions, but I'm not sure if we should put it in the .github directory. Meanwhile, that program can just do our job; even if 2-3 folks keep running that service on their machine, that's enough.

For now, this is the PR: #45142 that adds the dependencies we are targeting this sprint to test and upgrade. Please review.

[mykola-elastic]

@shmsr while reviewers is deprecated, there is still a labels option which is used in my PR, so we would get out team label on the dependencies listed. But I think you approach is better, because the dependabot doesn't seem to be designed to have multiple entries with the same package-ecosystem and directory. I used a "hack" by specifying target-branch: main so it thinks that the entry is different.

[mykola-elastic]

Closing in favor of #45142