Update Dependabot config file

[dependabot-preview]

👋 Dependabot is moving natively into GitHub! This pull request updates your config file to the new syntax. When you merge this pull request, we'll swap out dependabot-preview (me) for a new dependabot app, and you'll be all set!

With this change, you'll now use the Dependabot page in GitHub, rather than the Dependabot dashboard, to monitor your version updates. Dependabot is now configured exclusively using config files.

You have configured automerging on this repository. There is no automerging support in GitHub-native Dependabot, so these settings will not be added to the new config file. Several 3rd-party GitHub Actions and bots can replicate the automerge feature.

Your account was configured to allow an unlimited number of open pull requests. This option is no longer supported in the new config file so it has been changed to 99.

If you've got any questions or feedback for us, please let us know by creating an issue in the dependabot/dependabot-core repository.

Learn more about the relaunch of Dependabot

Please note that regular @dependabot commands do not work on this pull request.

🤖💛

[chris48s]

Refs dependabot/dependabot-core#3523 (comment)
Refs #5231 (comment)

PR Generated from dependabot-preview:

[calebcartwright]

Trying to do a mental refresh 🧠 With this change the functional result will be a handful of dependencies that we'll have to approve by hand (along with all the others), which the bots used to handle for us entirely, correct?

[calebcartwright]

Approving as the changes LGTM, not merging though so others can review as needed

[AraHaan]

Just so you guys know, there is a way to be able to keep what you guys currently got with dependabot preview (other than the unlimited prs).

I done all the work with getting automerge to work, note it would require adding an automerge label which you can copy from my repository too, along with the workflows and change them up to suit this repository.

The repository that I set it all up on is https://github.com/Elskom/Sdk/

Note: prs from forked repositories are not possible to automerge, also the auto approve action would not work from prs from forked repositories as well.

Also, this would mean that the Badges org would also need to make a dummy account (for usage as a bot) and added to the organization and an PAT (personal access token) made and added as an organization secret to allow CI builds on the resulting merged commit. This is because merges made from github-actions does not invoke github actions workflows so do take into account that before updating to the github native dependabot.

Also circleci might then have to be migrated into github actions since the normal CI workflow (like how my repositories are setup), must then use the github-actions user to auto approve the pr (since it uses the github provided GITHUB_TOKEN) since the bot used to merge could possibly be the one making some pr's as well (unless you want it set up for it to only merge prs from dependabot and not make prs (like to update submodules or w/e that's updated as part of a workflow commit to the default branch)

[chris48s]

OK. For the moment I'm going to close this as the issue has now been fixed because it was affecting a bunch of other people and we can stay on preview a bit longer so we don't need to do this today (although I suspect preview will be abandoned/deprecated fairly soon based on the conversation in dependabot/dependabot-core#3523 ). If we haven't moved things on, we can do this again another day.

@calebcartwright - yes the impact of merging this would be that the handful of automerges we allow would have stopped working. Everything else would have been fine. I reckon most weeks only auto-merge 2 or 3 PRs match our automerge rules so its not a huge overhead, but it is nice to keep if we can..

@AraHaan - There's a variety of GH action based solutions I've seen to this, but from what I have seen most of them either blanket auto-merge/auto-approve everything if the build passes (which is definitely not what we want) or give you less granularity than what dependabot-preview does. Our current setup is quite specific - we have a certain number of linting/testing dependencies which we auto-merge and only do that for minor/patch release. We still require a manual review for major version bumps.

shields/.dependabot/config.yml

Lines 7 to 28 in 6b252f3

	automerged_updates:
	- match:
	dependency_name: 'chai*'
	update_type: 'semver:minor'
	- match:
	dependency_name: 'cypress'
	update_type: 'semver:minor'
	- match:
	dependency_name: 'eslint*'
	update_type: 'semver:minor'
	- match:
	dependency_name: 'mocha*'
	update_type: 'semver:minor'
	- match:
	dependency_name: 'sazerac'
	update_type: 'semver:minor'
	- match:
	dependency_name: 'sinon*'
	update_type: 'semver:minor'
	- match:
	dependency_name: 'snap-shot-it'
	update_type: 'semver:minor'

This is the aspect of dependabot-preview which is proving hard to replicate.

[AraHaan]

I agree I think that config file should be usable in the native dependabot as well.

[dependabot-preview]

As a reminder, Dependabot Preview will be shut down on August 3rd, 2021. You can merge this pull request to migrate to GitHub-native Dependabot. You can read the docs to learn more about what's changing, as well as find out how to get support if you need help migrating.