Enrolling automatic dependency updates also for non-security issues

[venkatamutyala]

I noticed some of the workflows in this repository aren't pinned. Adding a tool like renovatebot can make life a lot easier and help manage your dependency updates.

For example in one of your github actions you have:
https://github.com/OpenRailAssociation/github-org-manager/blob/main/.github/workflows/test.yaml#L31

With renovate bot it'll pin it to a precise sha and create another PR for you so that you can accept updates/changes.

We use it at my organization and it saves a ton of time and also helps ensure we don't hit unexpected updates/changes or fall behind on security updates. Also, renovatebot supports a number of different languages and tools. It'll auto-detect what's in your repository and then create PR's where it finds updates. In your case it should update your python dependencies automatically with no configuration beyond installing this github app:

https://github.com/apps/renovate

I have a public config I am happy to share if you folks end up using renovatebot.

[cornelius]

I think it's a good idea to use a tool like renovatebot to automate updating dependencies. But I'll leave it to @mxmehl to discuss this further. He's away right now, we can continue once he is back.

[mxmehl]

Thanks for the proposal.

In this project, I already enrolled dependapot for security issues. I may extend it to also make regular updates, but this isn't strictly a security issue.