Enable dependabot updates on a weekly basis

[SimonMarquis]

• using the version update label for Gradle updates
• grouping Kotlin, KSP, and Compose compiler
• on a weekly basis

ℹ️ General Availability of grouped updates

---

• Revoke Renovate authorization on the project "settings" page

[JoseAlcerreca]

Does this support dependency grouping? https://medium.com/androiddevelopers/automating-dependency-updates-in-a-compose-project-168ef5e89ac5

[SimonMarquis]

Yes it does: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups

[JoseAlcerreca]

Ok in that case kotlin, Compose compiler and KSP should be grouped.

https://github.com/android/architecture-templates/blob/main/renovate.json

Also, daily would probably be overwhelming. I'd start with weekly.

[SimonMarquis]

I'll update this PR to reflect these groups

[JoseAlcerreca]

I haven't used dependabot yet but this LGTM

[SimonMarquis]

FWIW, here is an example of grouped update with dependabot: SimonMarquis/SealedObjectInstances#136

[SimonMarquis]

🔔 @dturner @JoseAlcerreca @alexvanyo (sorry for the ping 🙈)

What is the current status of this PR? It could prevent the need to manually create PRs like in these recent ones:

• Update AGP 8.1.3 #1024
• Update Kotlin 1.9.20 #948

If we want to stick with the third party @renovate-bot, I'm fine with it (even though I kind of dislike the fact to give write permissions to a third party), but then we should allow independent updates. Because right now, it is configured to bundle all updates at the same time, and prevents us to easily update -and test- dependencies atomically.

[SimonMarquis]

PTAL 🔔 @dturner @JoseAlcerreca @alexvanyo

Sorry for the 2nd ping, but it's been almost 4 months 🙈, any comment on this? 🙂

[jdkoren]

LGTM, will also check with @JoseAlcerreca

[JoseAlcerreca]

Ok let's try dependabot

[SimonMarquis]

😎 Awesome! Now we need to find a process to validate these reviews in a timely manner.

I'd love to be able to approve them, but it would require you to give more permissions to individual users. Not sure if this is something you are willing to do.

We could also try to auto-approve and merge all patches/minor updates if the CI does not fail.

[lihenggui]

Two dependencies might be missed in the dependabot configuration file.

https://github.com/android/nowinandroid/blob/main/gradle/init.gradle.kts#L17
https://github.com/android/nowinandroid/blob/main/gradle/init.gradle.kts#L20

[dturner]

@SimonMarquis Yeah, completely understand that it can be frustrating to have PRs sat for months without being reviewed/merged. We have a mandate to ensure that the app shows best practices and that can lead to lengthy internal discussions, or worse no discussions because people don't have the bandwidth to discuss or review.

I'll investigate whether we can grant certain approval permissions to external contributors to speed things up.

@jdkoren Please could you investigate #893 (comment)

[SimonMarquis]

Regarding spotless/ktlint versions, they are currently part of an init script, and therefore can't access the main version catalog.

Possible solutions:

• wait for Make generated type-safe version catalogs accessors accessible from precompiled script plugins gradle/gradle#15383 and hope it will work for initscripts
• move this initscript into the build-logic itself
• parse the catalog file manually with an external library like ktoml/tomlj