[deps] renovatebot for bazel deps

[asraa]

Title: renovatebot for bazel deps

Description:
I recently came across this project https://github.com/renovatebot/renovate that states it has support for updating http_archives and other bazel deps. I'm curious if anyone has heard or tried it, and has any opinions on whether it might work.

I worry that

• It will not handle our repository_locations.bzl and our metadata format
• It will have too much noise or sense of priority, and will not be helpful in case dependency updates require changes and fixes in the repo

Ideally, it seems like we want a tool on top of it that can handle priority and being compliant with formatting. There are already warnings on new releases that appear in CI logs. (Another improvement would be making those warnings more visible)

[phlax]

looks good! i checked previously for dependabot <> bazel but it doesnt currently have support

...in case dependency updates require changes and fixes

afaict it creates PRs, so at very least, if we can make it work, its an independent warning system about dep updates (and possibly sec issues)

[moderation]

I came across this as well @asraa and pinged @htuch about it on Slack. I haven't gotten around to installing the self-hosted version. It looks like it might work - https://docs.renovatebot.com/modules/manager/bazel/

We currently have a lot of out of date deps as reported by tools/dependency/release_dates.py. We'll need to see if it works and whether it provides more value than the Python script we have traded off against it's complexity, size, maintenance etc.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.