Add separate setting for source branch

[Andre601]

Right now does Dependabot only offer a updates[].target-branch setting that according to the docs is using the specified branch as both the source and final target branch for a PR.

This setup has its flaws, which can be most prominent when you have a repository with multiple modules that each have their own package management (i.e. a multi-module Maven project).
When dependabot now finds an update in a dependency, and this dependency is used across multiple modules, will it make separate PRs for each of those modules.
While this isn't as much of a problem, will it become one if the dependency bump is a breaking change and you have a CI set up that builds of the same target branch as configured in Dependabot.
Merging those PRs into the target branch can (and probably will) now create failed builds as one module has the bumped version, while the others don't.

I'll give a quick example with a list of events:

• Setup
  • Repository Example 4 modules using Maven.
  • 3 modules use the dependency com.example:Example which is on version 1.2.3
  • A CI is set up to build new jars using the main branch
  • Dependabot is configured to use main as target-branch for all modules.
• Dependabot detects that com.example:Example has a new version 2.0.0 (Changelog mention breaking changes)
• Dependabot creates 3 Pull requests to bump the version for each module using the dependency.
• 1st PR is merged: CI returns failure because the 2nd and 3rd module still use the old version.
• 2nd PR is merged: CI returns failure because the 3rd module still uses the old version.
• 3rd PR is merged: CI returns success.

From this example alone, which is based on one of my own repositories, can you see that the CI would report 2 failed builds because of the PRs all targeting the main branch and the PRs being separate.

While I can see the option of having all bumps for a particular package ecosystem being in the same PR do I feel like keeping them separate is a good idea, especially if for some reason the bump of the dependency in one module isn't wanted (Can also be used for actions that trigger on labels or for particular pushes to certain modules).

Also, you could obviously just have a separate branch for dependency updates that gets merged back into the main branch regularly, but I feel like this is a bit more effort than needed, because you would also need to constantly sync it with main again.

Having a setting to define one branch to check and another one to PR changes towards would be a good idea, as it could also allow you to tweak a few things (i.e. update code that would no longer work with the new version) before merging it back into the main branch to build.