Consider adopting Renovate instead of dependabot

[mschoettle]

Hi,

I just came randomly across your repository (via this comment here: rhysd/actionlint#148 (comment)) and saw this note in the README:

To automate that, the only practical way I found was to rely on dependabot. But dependabot cannot update arbitrary versions in run: YAML blocks.

I have used Renovate for a few years now to update dependencies and find it much more powerful than dependabot. It is open source and has supported uv.lock for several months already. Plus, it has support for pre-commit etc. While I don't think it can update a pinned version in a workflow out of the box, Renovate supports the definition of custom managers.

For example, I use the setup-uv action and also want to pin the uv version everywhere (workflow, Dockerfile, pre-commit):

- name: Install uv
        uses: astral-sh/[email protected]
        id: setup-uv
        with:
          # renovate: datasource=pypi dependency=uv
          version: "0.6.11"

With a custom manager it is possible to get Renovate to update this version. I wrote a preset for this particular use case: https://github.com/mschoettle/renovate-presets?tab=readme-ov-file#actions-dependency-version

As I looked up the Renovate documentation I noticed that they also provide a custom manager preset for this to update _VERSION env variables: https://docs.renovatebot.com/presets-customManagers/#custommanagersgithubactionsversions

Anyway, just wanted to throw this out there in case that is of interest to you.

[kdeldycke]

Thanks @mschoettle for the heads up! Renovate is on my radar for a while now: it seems good enough for my use case as I'm not doing anything fancy in this repository, and switching to it will bring the bonus of reducing dependency on GitHub services (which is a nice to have). I'm planning to play with it in the future. I'll keep updating this issue to log my progress.