Drop dependabot in favor of Renovate
Closed this issue · 3 comments
@ctubbsii I'll do the switch as its super simple. I know you prefer PRs grouped once a month so we will need to adjust settings for that. Personally I prefer the constant flow so I'm not blasted with out of date updates at end of the month. Quality and things missed by dependabot go way up with Renovate. I've not set up specific rules like once a month so I'll have to figure that part out. If you could, can you post here two answers for me. First, would it be initially acceptable to have it go back to normal frequency of PRs until I figure out schedule so I can easily flip over now, and second, what schedule of PRs works best for you? I'd expect this takes no time to figure out but question is really if I get pulled elsewhere and forget :)
Major reason why: dependabot blasts all downstream repo forks with PRs. Its been a defect since before github owned it and its never been resolved. Other reasons, dependabot is not that good at detecting everything about a repo. Additionally, Renovate provides a long term issue tracking that makes it far easier to understand what dependencies the repo has and better tracks items we ignore by clicks rather than obscure file updates.
I may have asked this already on one of the other repos, don't recall, just reviewing my forks and seeing that still dependabot and my fork getting updates in last few days.
ok guess I cannot add this, as I do not have same rights on 'revelc'. Go here https://github.com/marketplace/renovate, add it to revelc. Add all the formatter* repos, those will issue initial onboarding PR that will give further details before its actually live.
I'd strongly prefer not to have to trust a third party tool. We've seen things go wrong with CircleCI, TravisCI, etc. In this case, I just don't see much of an added value to make the extra risk of going with a third party worth it. I'd prefer not to grant whoever operates renovate access to the revelc repos at all.
As for my preference to have them bunched... my actual preference is that we don't need to bump anything until prior to release... during the development window, repeated bumps are pointless. I'd rather just bump once, as a batch, as a pre-release step. But, dependabot doesn't know when we release, and it doesn't batch multiple dependencies in the same PR. I've come to accept that. But, in general, my preference is for us to stop putting in so much unnecessary work and giving up our valuable attention unnecessarily, when it only matters for the released product.
A tool like renovate may be useful to larger projects, or more complex projects, but these projects are small, and I'd prefer to keep our tooling simple and low risk, and not go overkill on whatever latest trends are out there for tooling. I prefer minimalism over feature abundance.