From 2a02566b3e8da9b54a320fa8a6e2cf056823d46f Mon Sep 17 00:00:00 2001
From: Maybe Waffle <waffle.lapkin@gmail.com>
Date: Sun, 3 Mar 2024 00:05:28 +0100
Subject: [PATCH] Configure dependabot to update `Cargo.lock`

---
 .github/dependabot.yml | 44 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..2b038bbe
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,44 @@
+version: 2
+updates:
+  # This updates the `Cargo.lock` file.
+  #
+  # -----------------------------------------------------------------------------------------------
+  #
+  # Generally Rust libraries do not have lock files. This grows from the idea that you always want
+  # to run CI with the most recent (semver compatible) dependency versions, since those are the 
+  # versions new users will get.
+  #
+  # However this approach worsens the contribution experience, since PR's CI can fail because of
+  # a minor dependency update (e.g. because of an MSRV change or an accidental breaking change).
+  #
+  # To prevent this and make contribution experience a little bit better we include the lock file
+  # in the repository. To combat the problem of running CI against old versions, we have this
+  # dependabot job, which updates the `Cargo.lock` (and `Cargo.lock` only), every once in a while.
+  - package-ecosystem: "cargo"
+    # Directory where to search for build system configuration
+    directory: "/" 
+
+    # Only change `Cargo.lock`, never change `Cargo.toml`
+    versioning-strategy: "lockfile-only"
+    
+    # Check for updates weekly.
+    # This makes sure dependabot doesn't open PRs too often.
+    schedule:
+      interval: "weekly"
+    
+    # Group dependencies, so dependabot does not open a million pull requests and instead just
+    # makes "bump everything" every once in a while
+    groups:
+      lock:
+      - patterns: ["*"]
+
+    # Allow both direct and indirect updates for all packages
+    allow:
+      - dependency-type: "all"
+    
+    # Which labels to apply
+    labels: ["A-dependencies"]
+
+    # Stop dependabot from updating dependencies when the previous dependabot PR hasn't been
+    # merged/closed yet
+    open-pull-requests-limit: 1