Use renovate instead of dependabot

[daniel-mizsak]

• Linting passes
• Tests are added and passing
• Documentation is updated

Summary by CodeRabbit

• Chores
  • Updated automated dependency update configuration and switched tooling approach
  • Pinned GitHub Actions workflows and build system to immutable commit references for consistent reproducibility
  • Updated and pinned development dependencies, build requirements, and pre-commit hooks to specific versions
  • Re-enabled linter security checks to enhance code quality analysis

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request refactors dependency and CI/CD management by replacing Dependabot with Renovate, pinning GitHub Actions to immutable commit SHAs, replacing the pre-commit tool with prek, and updating various dependency versions with explicit pinning across development and documentation groups.

Changes

Cohort / File(s)	Summary
Dependency Management Migration .github/dependabot.yml, .github/renovate.json5	Removed entire Dependabot v2 configuration and added comprehensive Renovate setup with support for GitHub Actions, PEP 621, and pre-commit managers, including scheduling, grouping rules, and vulnerability alert handling.
GitHub Actions Pinning & Permissions .github/workflows/cd.yml, .github/workflows/ci.yml, .github/workflows/stale.yml	Pinned GitHub Actions to immutable commit SHAs instead of semantic version tags (deploy-pages, download-artifact, gh-action-pypi-publish, stale, and reusable workflows); adjusted job permissions by removing actions: write and updated reusable workflow references to commit SHAs corresponding to v2.1.0.
Pre-commit Tooling Replacement .pre-commit-config.yaml, Justfile, pyproject.toml	Removed pre-commit ci autoupdate schedule, pinned multiple hook repositories to frozen commit SHAs, added zizmor-pre-commit hook, replaced pre-commit command with prek in Justfile recipe, and substituted pre-commit dependency with prek==0.3.9 in dev dependencies.
Linter Configuration .github/linters/.megalinter.yml	Re-enabled KICS linter error checks by removing it from DISABLE\\\_ERRORS\\\_LINTERS.
Project Dependency Updates pyproject.toml	Narrowed build backend requirement to uv\\\_build>=0.11.3,<0.12, relaxed NumPy from exact pin to minimum version, pinned all dev dependencies explicitly (coverage, nox, pytest, ruff, ty, prek), and pinned docs dependencies (zensical, mkdocstrings-python).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 A rabbit's delight, with Renovate's cheer,
Commits pinned with SHA's, now crystal clear!
Pre-commit meets prek, a swift new way,
Dependencies dance in order today!
The burrow's CI runs smooth and true. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title directly and accurately describes the main objective: replacing Dependabot configuration with Renovate for dependency automation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/renovate

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (a9d6f81) to head (43446bf).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #120   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            2         2           
  Lines            7         7           
=========================================
  Hits             7         7           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	3		0	0	0.01s
✅ COPYPASTE	jscpd	yes		no	no	1.33s
✅ MARKDOWN	markdownlint	17		0	0	0.79s
✅ MARKDOWN	markdown-table-formatter	18		0	0	0.31s
✅ REPOSITORY	checkov	yes		no	no	20.52s
✅ REPOSITORY	gitleaks	yes		no	no	0.25s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	40.24s
✅ REPOSITORY	kics	yes		no	no	1.1s
✅ REPOSITORY	secretlint	yes		no	no	1.08s
✅ REPOSITORY	syft	yes		no	no	2.87s
✅ REPOSITORY	trivy	yes		no	no	10.82s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.32s
✅ REPOSITORY	trufflehog	yes		no	no	4.92s
✅ YAML	prettier	9		0	0	0.5s
✅ YAML	v8r	9		0	0	8.53s
✅ YAML	yamllint	9		0	0	0.57s

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository

[Copilot]

Pull request overview

This PR migrates automated dependency updates from Dependabot to Renovate, while also updating and pinning dependency/tooling references for more reproducible CI and developer workflows.

Changes:

• Replaced Dependabot configuration with a new Renovate configuration (including grouping and pinning strategies).
• Pinned GitHub Actions and pre-commit hook revisions to immutable commit SHAs; added a dedicated CI job for running prek.
• Updated Python/dev tooling dependencies (including switching from pre-commit to prek) and refreshed the uv.lock.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
uv.lock	Updates locked dependency set and metadata (incl. prek, tooling version bumps).
pyproject.toml	Adjusts build requirements and dependency constraints; pins dev/docs dependencies.
Justfile	Switches the hook runner command from pre-commit to prek.
.pre-commit-config.yaml	Pins hook repos to SHAs and adds zizmor hook.
.github/workflows/stale.yml	Pins actions/stale to an immutable SHA.
.github/workflows/ci.yml	Pins reusable workflows to SHA and adds a prek job.
.github/workflows/cd.yml	Pins actions to SHAs and updates publish action reference.
.github/renovate.json5	Adds Renovate configuration to manage updates and pinning behavior.
.github/linters/.megalinter.yml	Re-enables KICS checks by removing it from disabled error linters.
.github/dependabot.yml	Removes Dependabot configuration.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

24-27: Update branch protection required checks for the new prek job.
If your protected branches currently require old check names, ensure prek is included so merges stay correctly gated.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 24 - 27, Branch protection rules need
to include the new workflow job name "prek": update your repository's branch
protection required status checks to add the "prek" check (the job declared as
prek in .github/workflows/ci.yml) so that the new check must pass before merges;
locate any configured required checks in your repo settings or automation (e.g.,
branch protection configuration) and add the exact check name "prek" to the list
of required checks.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 24-27: Branch protection rules need to include the new workflow
job name "prek": update your repository's branch protection required status
checks to add the "prek" check (the job declared as prek in
.github/workflows/ci.yml) so that the new check must pass before merges; locate
any configured required checks in your repo settings or automation (e.g., branch
protection configuration) and add the exact check name "prek" to the list of
required checks.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c8aca0a5-4c23-4a2b-bc4f-694ea9da1162

📥 Commits

Reviewing files that changed from the base of the PR and between a9d6f81 and 43446bf.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (9)

• .github/dependabot.yml
• .github/linters/.megalinter.yml
• .github/renovate.json5
• .github/workflows/cd.yml
• .github/workflows/ci.yml
• .github/workflows/stale.yml
• .pre-commit-config.yaml
• Justfile
• pyproject.toml

💤 Files with no reviewable changes (2)

• .github/linters/.megalinter.yml
• .github/dependabot.yml