add dependabot: add Actions CI updates merge requests automation

[Anton-Latukha]

Dependabot would weekly check updates for project's .github/workflows/workflow.yml & send information & patch updates (like these).

PR to CI configuration run CI with changes applied, which is a self-test.

---

• Patches conform to the coding conventions.
• Any changes that could be relevant to users have been recorded in the changelog.
• The documentation has been updated, if necessary.

[Mikolaj]

@Anton-Latukha: hi! Do you think using https://github.com/haskell/actions would aid us in solving #7798? Is that preferable to ghcup or does it complement it?

[jneira]

@Anton-Latukha: hi! Do you think using https://github.com/haskell/actions would aid us in solving #7798? Is that preferable to ghcup or does it complement it?

They are complementary, for example it uses chocolatey for win and ghcup for the rest automatically so you dont have to worry about. When the action will switch to use ghcup for all os's it will be transparent for us.

[Mikolaj]

Great, let's use it. Whom does the dependabot send info to? Is it via email?

[jneira]

Great, let's use it. Whom does the dependabot send info to? Is it via email?

I think security info about deprecated actions will be here: https://github.com/haskell/cabal/security/dependabot. I have received emails about those alerts for being watching the repo (or be a maintainer? not sure)
Like the recent ones about python deps when we changed the doc generation

And it will open auto pr's to update dependencies

[fgaz]

And it will open auto pr's to update dependencies

our workflow files are generated, so prs would be useless (but issues wouldn't)

[Anton-Latukha]

And it will open auto pr's to update dependencies

our workflow files are generated, so prs would be useless (but issues wouldn't)

Ok. Haskell-CI is both blessing & a curse.

I am "on the way" & think contributing some GitHub automation into it (I want to merge there HLint automation). But first I need to arrange stuff for that in actions.

---

@Anton-Latukha: hi! Do you think using https://github.com/haskell/actions would aid us in solving #7798? Is that preferable to ghcup or does it complement it?

I do not have access to actions repository & it seems without a maintainer, lives on drive-by maintenance. I can adopt it if needed.

actions/setup - yes - mainly uses ghcup.
https://github.com/haskell/actions/blob/f0ecab9af1c178879d2243035bba5832e5529b43/setup/src/installer.ts#L148-L166
haskell-ci mainly uses hardcode type of generation on ghcup.
Does haskell-ci uses it - yes. Autogenerated haskell-ci.yml it creates is great & portable way - but it is a very limiting design & does not allow to support CI platform abilities well. For example - I am sure Cabal need to use GitHub Actions for half of a CI & other half may be haskell-ci generated. I want to bridge the actions & tooling - but we will see - maintainers always decide.

The solution to the question of #7798 - is to make ghcup being able to provide (even if hidden from CLI & only for internal users) - support for old versions & for Cabal to work together with that project accordingly. To keep everything in one project. That probably requires where shell is required - to keep an archive of old code duplicates in ghcup to match shell code for old versions, for simplicity of keeping legacy compatibility & that requires more hands than one person.

I'm thinking about helping in ghcup more. Besides Haskell - I love POSIX shell programming. After a while would look at ghcup internals & remember what was discussed here. Maybe, as Ospald now has more shell experience - we should be compatible now. Now style in ghcup strangely reassembles how I write.

---

Because Cabal CI as said - is autogenerated - yes - do not see a reason to keep PR around, if only to use dependabot PRs as notifications.

[Anton-Latukha]

Looked into CI.

Thought through the situation from different angles.

The situation is obviously complex.

I can not recommend anything. Especially because almost nothing in workflows can be done, deshotgun-surgered or shelled-out to understand how to simplify it, because they are autogenerated from GenValidate.hs. & that is made by phadej pretty recently & who knew what & how to do - better than him. If there was a place to leverage haskell-ci - he'd probably used it.

It obviously a mess - because the installation was a mess before standardization work for ghcup.

& I do not know what Zinza is & Hoogle actually returns null (for me) but it is on hackage Hackage - I notified phadej on that occasion with his package.

In time I currently can only work on the fringes here and there taking responsibilities to ease the situation (like maybe helping-out in ghcup & haskell-ci. I already have a number of promises made which I should deliver.

[andreabedini]

@Anton-Latukha the CI has been rehauled in #7952. Do you think we could reconsider this analysis?