Upgrade to GitHub Dependabot

[staticdev]

Closes #347

[cjolowicz]

Thanks for the PR (and your patience 😊)! This is definitely something that needs to happen. But there are still a lot of open questions:

• What is the correct onboarding for the new Dependabot feature? Your documentation changes suggest that users should still create an account at Dependabot and install their app, but it seems that this is obsolete because they would end up with the superceded preview app. The step you added is recommended for users who are upgrading from the preview Dependabot, right? In summary, the documented steps should work for all users. This is particularly tricky as the feature is still in Beta and subject to changes at short notice.
• The Dependabot badge in upgraded projects shows that Dependabot is inactive (last I checked). How can we fix this to show the correct Dependabot status?
• Can the open-pull-requests-limit setting be omitted, to go with the default? I saw something, maybe in the GitHub docs, that suggests it can.
• Any way to avoid hardcoding schedule.time? What is this based on, anyway? I got different times when upgrading projects.
• It looks like the new Dependabot picks up docs/requirements.txt when scanning from /? If so, the pip:docs section can be removed.
• If we rename .github/workflows/constraints.txt to, say, .github/requirements.txt (see Manage Python requirements of GH Actions with Dependabot retrocookie#106, which I was planning to port to the template), it looks like the new Dependabot picks it up when scanning from /. If so, the pip:.github section can be removed. However, while the Dependabot tab in GitHub suggests that the file is tracked, the update logs indicate that entries in .github/requirements.txt are not processed.

[staticdev]

You made very good observations. I don't have a definitive answer to all of them but I will tell what I know from the 6 repos that I own and are using the configs on the proposed PR #402 and #401.

• You are correct. There is no need anymore for steps 1 and 2 as it went native and GA in Github (I should remove that on a new commit). Also, the step 3 is an automerge feature for security vulnerable dependencies and are also not necessary if you consider using an automerge workflow proposed on the complimentary PR WIP: Automerge workflow #401.
• I didn't notice about the badge, and you are also right. I found an open issue for that Update badges to be compatible with the new native GitHub Dependabot dependabot/dependabot-core#1912, they would be fixing that soon. They are already tracking this here: dependabot/feedback#968
• Open pull-request limit and also schedule.time are automatic configs by Dependabot, if you migrate a dependabot-preview repo using their script (on dependabot.com) it is automatically added. I just stuck with the defaults here. But I've forwarded these questions directly to their staff here.
• I'm not sure about that. We have to test, but I think a section in config will still be needed as package-ecosystem: github-actions is just for Github Actions versions and for requirements.txt or constants.txt we need package-ecosystem: pip.

UPDATE: Github staff responded the remaining questions:

• Can the open-pull-requests-limit setting be omitted, to go with the default?
  Yup, the default is 5

• Any way to avoid hardcoding schedule.time? What is this based on, anyway? I got different times when upgrading projects.
  This should be set from your account settings in your dependabot dashboard. You can omit it and the default 5am UTC will be used.

[cjolowicz]

Thank you so much for the research.

[cjolowicz]

While some things are still in motion here, I went ahead and switched the Cookiecutter repository itself to GitHub Dependabot. Following the official flow, I did the following:

• Opt in to Dependabot security updates (Security > Dependabot alerts > Dependabot security updates).
• Request the Dependabot PR Update Dependabot config file #431 via the Dependabot.com dashboard
• Apply your patch to format the YAML code with Prettier
• Configure the schedule timezone and pull request labels

I credited you as a co-author on the Dependabot PR, and merged it.

As far as I can see, the following still needs to happen here (not saying you have to do this, but you are welcome to 😄):

• Remove the schedule.time setting to use the default instead (05:00 UTC)
• Remove the open-pull-requests-limit setting to use the default instead (5)
• Remove the Dependabot section from README.rst
• Update the Dependabot section in the User Guide (under External services):
  • Remove obsolete steps to integrate Dependabot
  • Link to the new official documentation for GitHub Dependabot
• Wait for Update badges to be compatible with the new native GitHub Dependabot dependabot/dependabot-core#1912 / badge issues after switch from dependabot-preview to GitHub's dependabot dependabot/dependabot-core#1960 to be resolved
• Remove the change adding a top-level .github/dependabot.yml, which is already covered by the Dependabot PR.

For now, let's not remove the configuration sections for the requirements files under docs and .github. Judging from Dependabot's behavior on another repository, it does not send pull requests for these files without the configuration sections (even though the files are listed on Insights > Dependency Graph > Dependabot).

[staticdev]

@cjolowicz done. About the badge issue, one alternative to waiting is removing it from READMEs until the issue is fixed.

[cjolowicz]

Excited that this becoming a thing 💯 and thanks again for doing the work! I left a few small suggestions for the changes to the User Guide.

I agree with you that we can simply remove the Dependabot badge for now. Let's do that.

Can you please also revert all the changes to the top-level .github/dependabot.yml? I think this file is fine the way #431 added it. Sorry for not expressing this more clearly earlier.

[staticdev]

Done.

[staticdev]

Hooray!