Automatically detect when schemastore needs to be updated

[MPV]

While Dependabot supports actions (and Rust?), it doesn't support bumping things like:

• https://docs.renovatebot.com/modules/manager/git-submodules/

To avoid manual toil of PRs like:

• https://github.com/mpalmer/action-validator/pull/64

[mpalmer]

Does Renovate support only raising a PR if certain files within the submodule change? I can't see anything obvious in its docs to cover that. Because schemastore has a lot of stuff updating all the time that we don't care about, and if it's going to raise a PR every time anything changes in that repo, it'll essentially have an (irrelevant) PR open all the time.

[MPV]

[...] if it's going to raise a PR every time anything changes in that repo, it'll essentially have an (irrelevant) PR open all the time.

Well yes, but as long as you don't merge it, Renovate will just keep it open and up to date (so you can merge whenever, or based on rules/automation).

[MPV]

Does Renovate support only raising a PR if certain files within the submodule change? I can't see anything obvious in its docs to cover that. Because schemastore has a lot of stuff updating all the time that we don't care about [...]

I do see what you mean. That sounds like it would be a decent solution, but I haven't seen that either. But maybe some kind of GitHub Action could be added to check those things (and only merge/label/pass a check when those files have changed, or similar).

For example by running something like this (pseudocode) on PRs opened by Renovate:

1. Checkout this repo (and submodules).
2. Check (somehow?) if there's changes to the desired files.
   1. Checkout repo twice (one in main, one for PR, compare files)?
   2. ...other ideas?
3. Do something to move the PR forward.
   1. Pass check?
   2. Ping maintainer?
   3. Approve/merge PR?

[mpalmer]

If we're going to have a daily "check if anything's changed" job, renovate seems rather overkill. It'd be a lot easier to just have a daily action that did something like:

git clone <etc etc>
git submodule update
cd src/schemastore
git fetch origin
git diff --stat HEAD..origin/main | egrep src/schemas/json/github-(workflow|action).json

... then opened a PR or did something else (maybe the job can just fail?, that'd be enough) to signal that the schemastore repo needs at least looking at for changes that might be worth pulling in.

[MPV]

... then opened a PR or did something else (maybe the job can just fail?, that'd be enough) to signal that the schemastore repo needs at least looking at for changes that might be worth pulling in.

Sounds like a decent idea.

[MPV]

I also noted that Dependabot does support rust, but it's an opt-in, with something along:

package-ecosystem: cargo

[mpalmer]

I also noted that Dependabot does support rust, but it's an opt-in, with something along:

That's a handy thing to know. One thing that bugs me about dependabot is that it spams you with "upgrade this naow!!!11!one!" PRs for things that have zero benefit in upgrading -- enabling it is essentially asking for the gift of infinite work. I've got daily cargo audit runs to find security vulns in dependencies, and cargo update/build runs to detect if a dep has introduced a breaking change. If there's something more that can usefully be added, I'm all ears.

(I'm going to change the title on this issue, to better reflect the underlying desire to detect relevant changes in the schemas)