Formalise dependency policy

Having something written makes it easier for casual contributors to know
the rules.
1 job for !59 with work/jzarl/dependency-goals in 5 minutes and 19 seconds (queued for 7 seconds)
latest detached
Status Name Job ID Coverage
  Build
passed suse_tumbleweed_qt515 #142946
Linux

00:05:19