Merge pull request #1023 from teloxide/cargo-lock

Fix CI & make sure dependency auto updates can't fail CI

.github/dependabot.yml

@@ -0,0 +1,44 @@
+version: 2
+updates:
+  # This updates the `Cargo.lock` file.
+  #
+  # -----------------------------------------------------------------------------------------------
+  #
+  # Generally Rust libraries do not have lock files. This grows from the idea that you always want
+  # to run CI with the most recent (semver compatible) dependency versions, since those are the 
+  # versions new users will get.
+  #
+  # However this approach worsens the contribution experience, since PR's CI can fail because of
+  # a minor dependency update (e.g. because of an MSRV change or an accidental breaking change).
+  #
+  # To prevent this and make contribution experience a little bit better we include the lock file
+  # in the repository. To combat the problem of running CI against old versions, we have this
+  # dependabot job, which updates the `Cargo.lock` (and `Cargo.lock` only), every once in a while.
+  - package-ecosystem: "cargo"
+    # Directory where to search for build system configuration
+    directory: "/" 
+
+    # Only change `Cargo.lock`, never change `Cargo.toml`
+    versioning-strategy: "lockfile-only"
+    
+    # Check for updates weekly.
+    # This makes sure dependabot doesn't open PRs too often.
+    schedule:
+      interval: "weekly"
+    
+    # Group dependencies, so dependabot does not open a million pull requests and instead just
+    # makes "bump everything" every once in a while
+    groups:
+      lock:
+      - patterns: ["*"]
+
+    # Allow both direct and indirect updates for all packages
+    allow:
+      - dependency-type: "all"
+    
+    # Which labels to apply
+    labels: ["A-dependencies"]
+
+    # Stop dependabot from updating dependencies when the previous dependabot PR hasn't been
+    # merged/closed yet
+    open-pull-requests-limit: 1

.github/workflows/ci.yml

@@ -108,6 +108,22 @@ jobs:
       - name: Cache Dependencies
         uses: Swatinem/rust-cache@v2
 
+      # Generally MSRV dump is not considered a breaking change in by the Rust community.
+      # Thus a minor or a patch version dump of a dependency of ours, can bump MSRV.
+      # (remember that `cargo` uses newest semver compatible versions by default)
+      #
+      # It's silly to bump MSRV every time minor dependency update does (note that this update can
+      # happen even after our crate is published; so users may need to downgrade crates in
+      # `Cargo.lock` independently of how we test our crates), so we downgrade their versions in
+      # MSRV CI specifically instead. This allows as to
+      # 1. Not update MSRV unless we really need to
+      # 2. Test newest (or at least newer) versions of crates in CI
+      - name: Downgrade deps for MSRV
+        if: ${{ matrix.rust == 'msrv' }}
+        run: |
+            cargo update -p atomic-write-file@0.1.3 --precise 0.1.2
+        
+
       # NB. Don't test (build) examples so we can use non-msrv features in them (--tests/--doc)
       - name: Compile
         run: |

.gitignore

@@ -1,5 +1,4 @@
 /target
-Cargo.lock
 .idea/
 .vscode/
 *.sqlite