Dependabot frequency

[edward-shen]

While keeping up to date is a good thing, frequent updates create a lot of noise and can be annoying. Perhaps we can configure it to once a week, or once a month?

We can take larger period between dependabot checks because we already run cargo deny in CI, so any urgent issues will be noticed quickly, where we manually update.

https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#scheduleinterval

[edward-shen]

Alternatively, we could probably do something with Github actions to create a new PR every month that runs cargo update, which might be better since I think dependabot still can't have a bundled PR (e.g. every dependency update is a separate PR).

[Byron]

Thanks a million for your suggestion! I became num towards dependabot but that doesn't mean it's working the way it should. Indeed, it bundling its updates and making it once a month or even less often would be the preferred mode of operation.

Right now I would be hesitant to change the schedule interval in fear of an onslaught of PRs every month.

On the other hand, there may be value in seeing each PR as it contains release notes and changes, which admittedly I don't read for patch releases.

So I am thinking to turn it off entirely for a while and do updates by hand from time to time, which is what I did before as well.

[somehowchris]

Just to have a comment after almost a year 😓

I'm a fan of renovate as it lets you configure when it will open something, how many concurrent PRs and how it should bundle them (all together, seperate, by namespace,...) and the PR just gives me a notification in gh which I can use as a small checklist and control