Switch from dependabot to renovate

[AlexWaygood]

Summary

This PR sets up a renovate config for updating our dependencies, and removes our dependabot config. Advantages of renovate over dependabot are:

• It will also update pre-commit dependencies for us
• It's highly configurable

Disadvantages are:

• It's highly configurable (so it's more difficult to wade through the docs to figure out exactly what configuration you want)

Note that this PR is necessary but not sufficient for enabling renovate on this repository, if we decide that this is the way we want to go. Renovate's Github.com app would also need to be enabled for this repository.

Configuration details

I've used renovate before in https://github.com/AlexWaygood/typeshed-stats and https://github.com/python/typeshed, so I'm pretty confident that this configuration file is basically correct. I've used a .json5 file rather than a .json file so that we can have comments in the file. (json5 is a supported file format for renovate configuration.) Some notes on the specific configuration options I've chosen:

• Currently dependabot does not update our Python dependencies in python/ and scripts/, nor our npm dependencies in playground/. I've added those in this PR (renovate will look for PEP-621 dependencies only in the python/ and scripts/ dependencies, and will look for npm dependencies only in the playground/ directory), but I'm happy to take them out again if that's something we're not interested in.
• All update PRs will come on Monday mornings, same as with our current dependabot setup
• GitHub Actions updates will all be grouped into a single PR, same as our current dependabot setup. I've also grouped all our pre-commit dependencies into a single weekly PR, but haven't grouped any other dependencies together. I could do others as well, if we want them bunched up a bit more.
• The pre-commit manager dependency manager needs to be explicitly opted into because the pre-commit maintainers prefer you to use the pre-commit.ci bot to autoupdate your dependencies: Pre-commit minimum version and docker entry renovatebot/renovate#11166 (comment). I don't think that's something we particularly need to worry about, however.

Test Plan

If the Renovate bot is enabled, it will validate this configuration file and open an issue for us if there are any errors.

[AlexWaygood]

(This PR is a competing PR to #8411 -- we should either do that PR or this one, but not both.)

[MichaReiser]

Looks good to me. Is there a way to test this or do we have to wait for next Monday?

[AlexWaygood]

Is there a way to test this or do we have to wait for next Monday?

If we merge this PR and enable the renovate bot, the bot will immediately do one of two things:

• Open an issue telling us there's an error in our configuration. The issue would look like this: Action Required: Fix Renovate Configuration python/typeshed#11586
• Or, if there are no errors in our configuration, it will open a "dependency dashboard" issue that we will be able to use for tracking our scheduled dependency updates. (We can opt out of this, but I personally find it quite useful.) We can use the dependency-dashboard issue to manually trigger an update PR before Monday to try things out. The issue would look like this: Dependency Dashboard python/typeshed#11588

So we should get pretty quick feedback on any issues here if this is merged!

[MichaReiser]

Sounds good. Thanks. Let's give @zanieb some time to take a look at this PR. They set up the dependantbot configuration initially.

[zanieb]

Can we still doing things like @<bot> ignore this version?

[AlexWaygood]

I don't think you can @ renovate in the same way you can with dependabot. It's possible to add config to this file specifying that it should permanently ignore certain versions (or version ranges), however. Additionally, if you close a renovate PR, it will generally assume that you don't want to see any future PRs updating the dependency to that version. Docs here: https://docs.renovatebot.com/key-concepts/pull-requests/#normal-prs

[zanieb]

Thanks for doing this!

[AlexWaygood]

I installed the renovate CLI tool (via npm) to validate this config, and it passed:

(setup-renovate)⚡ % npx --yes --package renovate -- renovate-config-validator               ~/dev/ruff
(node:98623) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
 INFO: Validating .github/renovate.json5
 INFO: Config validated successfully