GitHub Dependabot support for Haskell packages

[frasertweedale]

Story

As a haskell developer (who uses GitHub), I want Dependabot to support Haskell, so that
when new versions fix security issues, Dependabot will automatically create PRs that bump
the version bounds.

Further discussion

For some languages, dependabot only works on lock/freeze files.

In Haskell land, some projects have a freeze file committed to the repo, and some do not.

IF it is easier to tackle the freeze file scenario first, that is fine. Do the easy thing and deliver
value for some users, then tackle the harder problem.

[frasertweedale]

Articles and tools that may be helpful:

• https://discourse.haskell.org/t/a-github-action-to-bump-your-cabal-dependencies/6919
• https://github.com/dan-t/cabal-bounds

[unorsk]

According to GH people they no longer accept 'new' ecosystems as mentioned here and in the mean time they have been working on something that hasn't been crystallized yet

[frasertweedale]

Maybe we should focus on Renovate instead? renovatebot/renovate#8187

[ysangkok]

I've almost added Cabal support to Renovate, but it only supports ranges like >X.Y && <V.W and rangeStrategy=widen. I was thinking, that next I'd add rangeStrategy=pin support. If you have rangeStrategy=auto, it'd look at each constraint, and if it has the form ==X.Y.Z, it would use rangeStrategy=pin, which would then update it to the new version of the same form. This also means that Renovate would work with existing patterns, without the user having to configure rangeStrategies manually.

It is inspired by the handling of Cargo in Renovate. The advantage of pinning for cabal-install users is: Application authors can be sure that users for a specific application release are using a specific version of a dependency.

If you have ==X.Y and an explicit rangeStrategy=widen, it'd be converted to

>=oldVersion && <majorComponentsOfNewVersion+1.

I'd love to hear if you have any ideas on how to improve this.