Update all actions and use dependabot

[Nerixyz]

Notably, this updates @actions/checkout from v3 to v4, as it used Node 16 which isn't maintained anymore (notice the warnings at the bottom). Only @actionsx/prettier isn't updated to Node 20 yet (actionsx/prettier#119).

Additionally, I've added Dependabot for GH-Actions to help with keeping them up-to-date.

I noticed, that lcov now works, so codecov.yml might work again (with some adjustments as bors isn't used anymore).

[Emilgardis]

should we enable it?

[Nerixyz]

Let's try

[Nerixyz]

I suppose we need to add a CODECOV_TOKEN and add it to the twitch-rs org like described here.

[Emilgardis]

added the secret, just need to add the env to the workflow step

[simonsan]

Have you checked renovate as well, it's more configurable I feel. Example: https://github.com/rustic-rs/rustic/blob/main/.github%2Frenovate.json

[simonsan]

For coverage: haven't looked into the current CI, but here is a workflow using cargo tarpaulin: https://github.com/pace-rs/pace/blob/main/.github%2Fworkflows%2Fcoverage.yaml

[Emilgardis]

we actually have renovate enabled :D, it doesn't work very well. Maybe there's a way to fix it?

Which reminds me, should probably disable it if we switch to dependabot.

[simonsan]

we actually have renovate enabled :D, it doesn't work very well. Maybe there's a way to fix it?

Which reminds me, should probably disable it if we switch to dependabot.

On mobile, so not really able to look into it. But can check later, if there is a way to fix it.

[Nerixyz]

Have you checked renovate as well, it's more configurable I feel.

Not super familiar with renovate, but we could try to find a good config. I've only used dependabot because we use it in Chatterino and it works there. For rust, it's not ideal, as it only updates the dependencies you have in Cargo.toml, not e.g. Cargo.lock (except for security updates I think).

[Nerixyz]

Codecov seems to work: https://app.codecov.io/github/twitch-rs/twitch_api/commit/baacf77ff57c64f75e73bdbe2fabb7b8366c6156

[Nerixyz]

we actually have renovate enabled :D, it doesn't work very well. Maybe there's a way to fix it?

Which reminds me, should probably disable it if we switch to dependabot.

Seems like it's disabled for everything: https://github.com/twitch-rs/.github/blob/552dc354c76953dcb866e747613a501d1af28aa5/renovate-config.json#L33-L41 (if I read that correctly).

[Emilgardis]

I should've documented why. It doesn't use cargo semver. so it thinks that 0.1.0 -> 0.2.0 is a minor patch, when it is in cargo terms a major (where left most non-zero = major)

The reason I say it doesn't work is because it doesn't handle submodules like I wanted it to, it should update the lockfile when bumping submodules, but that doesn't seem to work.