Replace renovate with dependabot

thriving-dev / java-library-template

🎨 Java library template • Gradle Kotlin DSL • GitHub Actions CI/CD to build, release & publish to Maven Central • Renovate • Trivy • Javadoc (Pages) • Issue & PR Templates

https://www.youtube.com/watch?v=nXs7hSV6ris&list=PL1tfxqbktkFYK5zYjfHxt4wFOus5R9Y3g&index=1

Other

32 stars 4 forks source link

Replace renovate with dependabot #33

Open StefMa opened 8 months ago

StefMa commented 8 months ago

Describe the feature

Instead of using renovate, the template should switch to dependabot.

Why? Because it reduces the configuration of this template. Users don't have to install anything. As soon as a .github/dependabot.yml file is present, dependabot is configured and ready to go.

I'm not familar with renovate, however, you might lose the ability to update Gradle itself. As far as I know renovate can handle Gradle updates while dependabot can't. But this could also be solved by using e.g. the Wrapper-Gradle-Plugin.

Additional information

[X] Would you be willing to help implement this feature?

Final checks

[X] Read the contribution guide.
[X] Check existing discussions and issues.

hartmut-co-uk commented 8 months ago

Thanks. Since the project is already tailored for GitHub this might be a good move. Would you be willing to simply create a repo from this template and make the change to this new repo first? This should allow us to make a direct comparison.

And yes, Renovate also updates the gradle (+wrapper) version.

StefMa commented 8 months ago

I just added the dependabot config file in the template. See https://github.com/StefMa/java-library-template/commit/94055c4ea5d913f97b323cce196a5d687cd0d9ea

It seem that right now all dependencies are up-to-date except of the testcontainer. See the respective PR: https://github.com/StefMa/java-library-template/pull/1

StefMa commented 8 months ago

I have just been thinking about this again and have come to the conclusion that this may not be an exclusive issue.

Using dependabot or renovate is probably a personal preference. One prefers to use one over the other. There are even pros and cons to using one or the other. Renovate has this dashboard as well as the ability to upgrading gradle (wrapper). Dependabot, on the other hand, is deeply integrated into the github ecosystem and doesn't require any additional setup to run; and so on... ☺.

While you already have your "setup project template github action", we could think about extending this to "want to use dependabot, renovate, or nothing". Depending on the choice, we will create either a renovate or a dependabot config file.

What do you think?

hartmut-co-uk commented 5 months ago

OK, overall, I think dependabot is a good choice and, as mentioned before, would be a good fit for the project. I like the idea of supporting both options. I believe it could be a straightforward implementation, would you be willing to create a PR with the proposed changes? (If not, I'll take it up myself)

StefMa commented 5 months ago

Right now I don't have the capacity to create a PR for this. Feel free to take over.