Add CI job to auto-update pre-commit dependencies weekly

[zanieb]

pre-commit provides an autoupdate command to bump dependency versions in the pre-commit configuration. Not only are our current versions all stale, with #8410 we'll want a reasonable way to update the Ruff version we are using.

Until Dependabot support is released dependabot/dependabot-core#1524, using pre-commits command is the best option.

Note pre-commit provides a service that does this, but I'm not interested in depending on it.

This job opens a new pull request with updates if there are any.

[zanieb]

I'm not sure I can test this via dispatch until it is merged

[mkniewallner]

You might be interested in https://github.com/renovatebot/renovate, which is another free and open-source dependency update manager that handles way more ecosystems than Dependabot (including pre-commit), and is also way more customisable (allowing for instances to group all patch dependencies into a single PR).

We use it on deptry, if you are curious (here's our configuration file, and fpgmaas/deptry#503 if you want to see a PR that updates a pre-commit dependency), and I've personally been using it quite extensively on multiple projects, so if you think this could be interesting to use on Ruff, I'd be happy to give a hand.

[charliermarsh]

Looks reasonable to me, defer to @zanieb on whether we want to use renovate :)

[zanieb]

Hm... tempting. I've never used it seems like most people seem to find the ux relatively similar.

@mkniewallner if you're interested in opening a pull request adding it I'll certainly review. It'd be nice to group patch version bumps in our cargo dependencies and bumps of development dependencies.

[mkniewallner]

Hm... tempting. I've never used it seems like most people seem to find the ux relatively similar.

@mkniewallner if you're interested in opening a pull request adding it I'll certainly review. It'd be nice to group patch version bumps in our cargo dependencies and bumps of development dependencies.

Happy to! I'll play a bit with the configuration on a fork to have a better representation of PRs that Renovate would create, and eventually open a PR over here.

[zanieb]

Noticing our pre-commit dependencies are way out of date and opening this to investigate them again....

[AlexWaygood]

FWIW I've used renovate in a few projects, and just switched typeshed over to using it. It's slightly more complex to setup than dependabot, but it's extremely configurable, and it's really useful that it can do pre-commit dependencies as well as other dependencies. I don't have any major complaints with it.

Happy to open a PR setting up the config for it on Monday so you can compare it with this!

[AlexWaygood]

Happy to open a PR setting up the config for it on Monday so you can compare it with this!

Here's what the renovate config would look like:

• Switch from dependabot to renovate #10567

[AlexWaygood]

Closing as superseded by #10567 👍