Replace Dependabot with Renovate for automatic dependency updates #7155
Description
There is a key limitation with Dependabot, which is that it doesn't support automatically updating dependencies with security vulnerabilities in "active" release branches (for Antrea minor versions which are currently actively supported). This is described in more details in #6934.
We have the following key requirements:
- ability to keep updating dependencies (Go / Github Actions) in the main branch, picking up all major / minor / patch releases (with some exceptions for specific dependencies)
- ability to update dependencies in active release branches when the update addresses a known vulnerability; this is desired to reduce the number of PRs created by the update bot, and to limit the risk of regressions for existing minor releases
Renovate is an alternative tool for dependency management, and it seems that it offers richer configuration options and may not suffer from the Dependabot limitation described above. For example, the matchBaseBranch matcher under packageRules can be used to limit the scope of a collection of update rules to some specific repository branches.
It may be useful to refer to the Renovate config for the Cilium project, as it seems they have the same use case (dependency updates for active release branches, but only when they address known vulnerabilities).