Consider renovatebot instead of dependabot #982
Description
I've seen a lot of projects using https://github.com/renovatebot/renovate of late, and recently tried it out myself on a project. I was hoping it would address some of the annoyances I've had from dependabot, and indeed it did. With renovatebot we can set up something like the following:
- Batched lockfile updates. When a dep releases an update that is semver-compatible with what we have in
Cargo.toml, it's good to update the lockfile so that we test with that latest version -- since that's indirectly what most users will get when they useuefias a dep. But there's not much value to us manually approving each of those, or to each one being in a separate commit. We can set up renovatebot to batch up these updates on a schedule, and automatically merge if the CI passes. - Regular PRs for non-semver-compat updates. These will still need manual approval, and are more likely to fail CI anyway due to API changes.
The only setup needed to make this happen is adding the renovate github app to the rust-osdev org if it's not already in there, and adding the renovate.json config.
Edit: oh, and we could also set it to automatically merge things like the typos updates :)