feat(dependabot): add config file

[vinayakkulkarni]

• this PR enables support for dependabot instead of currently installed dependabot-preview

[adamwathan]

Cool didn't know about this — what's the main benefit of doing it this way?

[vinayakkulkarni]

Cool didn't know about this — what's the main benefit of doing it this way?

Since Dependabot is joining GitHub, they've recommended to use the v2 config for all the dependabot-preview apps

You can check your updates in the repo itself in this section

Instead of using old dashboard, you can check the deps in the repo itself :)

[adamwathan]

Nice! Is there anything I need to do to explicitly enable auto-merging or any other custom configuration I had, and do I need to manually disable the old one?

[vinayakkulkarni]

You don't need to do anything explicitly, once this PR is merged, you can check for updates using this link.

If you want you can remove the dependabot-preview GitHub app that you've installed for this repo.

[vinayakkulkarni]

Yo @adamwathan,

Any thoughts on merging this?

Cheers :)

[RobinMalfait]

This would be a nice benefit, however I think the config is incorrect

[vinayakkulkarni]

Hey @RobinMalfait,

I've fixed the requested changes.

Kindly re-review :)

[HonkingGoose]

Check for GitHub Action updates:

Dependabot can check for GitHub Action updates with package-ecosystem: github-actions.
You should be able to copy/paste the code block below into your pull request (do check if the spacing is correct!).

- package-ecosystem: github-actions
  directory: "/"
  schedule:
    interval: daily
    time: '00:00'
  open-pull-requests-limit: 10
  reviewers:
    - adamwathan
  assignees:
    - adamwathan
  commit-message:
    prefix: fix
    prefix-development: chore
    include: scope

From the GitHub Dependabot docs, package-ecosystem:

GitHub Actions: github-actions

Do not label things yourself, let Dependabot do it right by default

I recommend removing the "dependencies" label from the dependabot.yml file as you are duplicating the default Dependabot configuration.

If you don't specify any labels in dependabot.yml, Dependabot will use (and automatically create) these labels:

• All updates get a "dependencies" label.
• Npm updates get a "javascript" label.
• GitHub Action updates get a "github_actions" label.

Relevant quote from GitHub Dependabot docs, setting custom labels:

By default, GitHub Dependabot raises all pull requests with the dependencies label. If more than one package manager is defined, Dependabot includes an additional label on each pull request. This indicates which language or ecosystem the pull request will update, for example: java for Gradle updates and submodules for git submodule updates. GitHub Dependabot creates these default labels automatically, as necessary in your repository.

[vinayakkulkarni]

Updated the PR with support for github-actions ecosystem as well :)

Thanks @HonkingGoose

[HonkingGoose]

Hi @adamwathan, I noticed you had some questions. I've got some answers for you! 😉

Nice! Is there anything I need to do to explicitly enable auto-merging or any other custom configuration I had, and do I need to manually disable the old one?

On auto-merge support for the integrated Dependabot:

Auto-merging is not supported anymore, it's also not going to be supported. Quote from the project manager for Dependabot at dependabot/dependabot-core#1973 (comment):

Auto-merge will not be supported in GitHub-native Dependabot for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but right now, we’re concerned about auto-merge being used to quickly propagate a malicious package across the ecosystem. We recommend always verifying your dependencies before merging them.

On removing the old dependabot-preview bot:

When you're not using the old dependabot-preview bot anymore on any of your repositories, you can remove it from your GitHub apps. When you're logged into GitHub, got to https://github.com/settings/installations and then click on the applications tab, to see a list of installed GitHub apps, you can remove the dependabot-preview bot from that screen.

On custom configurations:

There's a full list of configuration options that you can put in the dependabot.yml file: GitHub Docs for Dependabot configuration options.

For a overview of all the Dependabot functionality go the GitHub docs on "Keeping your dependencies updated automatically".

[adamwathan]

Thanks for this but going to try Depfu instead for a while since it has some features I'd like to try.