[internal] switch to dependabot

[pichlermarc]

See #1806. Renovate bot does not handle package-lock.json updates correctly at the moment. It is unclear if this is due to misconfiguration or a bug in renovate.

Since the diff in package-lock.json has significant impact on the developer experience, we should switch to dependabot as it handles updates package-lock.json as we expect it.

Part of this issue is

• translating the current renovate config to renovate (with regards to grouping, ignored packages - improvements welcome 🙂 )
• disabling renovate bot
  • removing the config in the repository
  • reach out to a Maintainer to uninstall the app from the repository

[trentm]

I wonder, now that #1917 is basically sorted out, if renovate will suffice -- as long as we configure it to skip @opentelemetry/* packages in its updates.

My personal experience is with dependabot, but it definitely has rough edges. Given the two OTel JS repos have been using renovate successfully for a while, I'd be inclined to give renovate another shot. What do you think?

[pichlermarc]

Yes renovate might suffice 👍 I think we can keep using it, but we'll need to have an eye out for any irregularities in the package-lock.json. I'm still open to giving dependabot a shot if we can roughly replicate the grouping we currently have with renovate.

With renovate I'm mainly worried about the behavior we see in renovatebot/renovate#25847. I can still see the same happening on the reproducer I linked. But since the release PR workflow adds a commit to sync package-lock.json it would bring the file back to a consistent state. So that's just a minor annoyance and I think it will likely be fine. 🙂