Evaluate dependency update bot for `NuGet` packages and notifications

[lex57ukr]

Goal

Choose and document a dependency update solution for this repository that can detect outdated .NET / NuGet packages and notify about updates on a predictable schedule.

Scope

• Evaluate available options, including:
  • GitHub Dependabot (native)
  • Renovate (hosted GitHub App or self-hosted)
• For each option, document:
  • Configuration location and file format
  • Supported update cadence (daily / weekly / monthly)
  • Noise control options (grouping, ignore rules, security-only mode, etc.)
  • How notifications are surfaced (PRs, security alerts, GitHub notifications)
  • Required permissions and repository or organization-level settings
• Decide on a recommended approach for keystone-cli
• Define follow-up implementation tasks as separate issues (configuration + tuning)

Outcome

• A clear decision on which dependency update tool to use, with rationale
• A documented configuration plan (what files to add, where, and why)
• Follow-up implementation issues created for incremental rollout

Notes

• Prefer low-noise defaults (e.g., weekly cadence, grouped updates where supported)
• Security alerts are valuable even if automated version-bump PRs are throttled

[lex57ukr]

Triage

Start with Dependabot vs Renovate comparison and pick one.

Keep follow-up work as small issues:

1. Add config
2. Tune schedule/grouping/ignores
3. Confirm notifications + PR labeling behavior

[lex57ukr]

Decision

Recommended tool: GitHub Dependabot

Rationale

• Native integration — No additional GitHub App installation or permissions required
• Sufficient for this repo's needs — NuGet ecosystem support, weekly scheduling, grouping, and ignore rules cover our requirements
• Lower maintenance — GitHub-managed service with no self-hosting concerns
• Security alerts — Integrated with GitHub's security advisory database

Renovate offers more flexibility (monorepo support, advanced grouping), but that complexity isn't needed for a single-.NET-project repository like this one.

Configuration Plan

Add /.github/dependabot.yml with:

• nuget package ecosystem
• Weekly schedule (low-noise default)
• Target main branch
• Consider grouping minor/patch updates to reduce PR noise

Next Steps

Create implementation issue for adding the Dependabot configuration.