version: 2
updates:
  # This updates the `Cargo.lock` file.
  #
  # -----------------------------------------------------------------------------------------------
  #
  # Generally Rust libraries do not have lock files. This grows from the idea that you always want
  # to run CI with the most recent (semver compatible) dependency versions, since those are the 
  # versions new users will get.
  #
  # However this approach worsens the contribution experience, since PR's CI can fail because of
  # a minor dependency update (e.g. because of an MSRV change or an accidental breaking change).
  #
  # To prevent this and make contribution experience a little bit better we include the lock file
  # in the repository. To combat the problem of running CI against old versions, we have this
  # dependabot job, which updates the `Cargo.lock` (and `Cargo.lock` only), every once in a while.
  - package-ecosystem: "cargo"
    # Directory where to search for build system configuration
    directory: "/" 

    # Only change `Cargo.lock`, never change `Cargo.toml`
    versioning-strategy: "lockfile-only"
    
    # Check for updates weekly.
    # This makes sure dependabot doesn't open PRs too often.
    schedule:
      interval: "weekly"
    
    # Group dependencies, so dependabot does not open a million pull requests and instead just
    # makes "bump everything" every once in a while
    groups:
      lock:
        patterns: ["*"]

    # Allow both direct and indirect updates for all packages
    allow:
      - dependency-type: "all"
    
    # Which labels to apply
    labels: ["A-dependencies"]

    # Stop dependabot from updating dependencies when the previous dependabot PR hasn't been
    # merged/closed yet
    open-pull-requests-limit: 1