Use renovate

[bluwy]

Changes

This PR is opened as a discussion if we want to use renovate! If so, we can merge this PR, then someone with repo perms can setup the renovate github app following this instruction. I'd suggest giving the github app access to this repo only as a start.

---

This PR removes the nightly.yml workflow in favor of renovate. The renovate github app is free to use for public/private repos. I'm currently using it for Vite and Svete orgs and I find it helpful. Some benefits:

1. Easier to review deps that have updated. It provides a table of updated deps and links to changelog. Example: https://www.github.com/vitejs/vite/pull/16131
2. It can help update major/breaking deps so we constantly keep them fresh. Example: https://www.github.com/vitejs/vite/pull/15234
3. If we don't want to update a dep, it can remember it (by closing the PR or via config). Example: https://www.github.com/vitejs/vite/pull/12880

Notes:

1. It will create one long-standing issue as a "dashboard" that we cannot close. Example: https://www.github.com/vitejs/vite/issues/4790
2. It's configured to send a PR weekly on Monday like our current workflow for non-major dependencies.
3. When a major dep upgrade is available, it'll send a PR to try and upgrade the dep (every Monday too iirc). There may likely be CI fails, but we can commit to the PR to fix it (renovate won't override changes).

Testing

I copied the config from Vite and tweaked a bit.

Docs

n/a

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5194bb0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[bluwy]

This line will bump the dependency range in package.json. I think it's nice, but if we don't want to and prefer to update the lockfile only like before, it's also possible by removing this line.

[Eveeifyeve]

I would agree this would be best practices to me since the lock file is going to get updated anyways from someone building the library

[Eveeifyeve]

Renovate would be a great thing but I would want to keep a tab and make sure it's on manual pr acceptance. Since automatic could break a lot of astro but you should consider dependabot as well which is built in to GitHub. Just add dependabot.yml to .github and define it and it will add it so I would check that out first before considering renovate because there is some paid plans.

[ematipico]

@bluwy can give us a brief summary of how renovate will work, please?

Like, will it create pr? What will it update/commit?

[bluwy]

@ematipico I've updated the description (notes) to add a bit more details. Let me know if I'm missing something. I think the linked PR examples are the best way to see how it works in practice.

@Eveeifyeve I've not used dependabot in the past because it didn't support grouped PRs (grouping multiple deps upgrade in one PR) until only recently. So I'm not really familiar with configuring it and can't quite vouch if there's any caveats in the long run. Happy to give it a shot though if you'd like to send a PR setting up dependabot.yml and we can compare them.

[ematipico]

I suppose we need to coordinate the merging of this PR with @matthewp so he can grant the permissions to renovate bot to run in the repository

[matthewp]

Yes, I'll add this to my board.