chore(ci): add Dependabot to track published hotdata SDK

[zfarrell]

Adds a Dependabot config scoped to the hotdata crate so a chore(deps) PR is opened automatically when a new SDK version is published to crates.io. Merge after #145.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[claude]

This config won't track crates.io releases of the SDK as intended. In Cargo.toml:20, hotdata is a git dependency pinned to a rev:

hotdata = { git = "https://github.com/hotdata-dev/sdk-rust", rev = "1687ba2...", features = ["arrow"] }

Dependabot resolves updates from a dependency's declared source, not crates.io. Since the manifest sources hotdata from git, a crates.io publish is invisible to this config — the premise in the PR description and the header comment ("when a new version is published to crates.io") doesn't hold here.

For a git dependency, Dependabot's cargo updater only advances deps that track a branch (to the latest commit) or a tag; it does not reliably bump a dependency pinned to an explicit rev. So as written this is likely to open no PRs at all. And if it did advance the rev, it would bump to arbitrary default-branch commits — which directly conflicts with the deliberately pinned rev documented in Cargo.toml (the comment there explains this exact rev is the first to carry content_length on upload_stream).

To achieve the stated goal you'd need to either (a) switch the SDK to a crates.io dependency (hotdata = "x.y"), then this config works as described, or (b) track the git source explicitly (e.g. point the dep at a branch/tag and accept that Dependabot follows git, not crates.io). Please reconcile the config with how the dependency is actually sourced.

[claude]

Review

Blocking Issues

• .github/dependabot.yml: The config targets hotdata, but that dependency is sourced from git pinned to a rev (Cargo.toml:20), not crates.io. Dependabot resolves updates from a dependency's declared source, so the PR's stated mechanism ("when a new version is published to crates.io") does not apply. Dependabot does not reliably bump rev-pinned Cargo git deps, so this is likely to open no PRs; and if it did, it would advance to arbitrary default-branch commits, conflicting with the deliberately pinned rev documented in Cargo.toml.

Action Required

Reconcile the config with how hotdata is actually consumed. Either:

• Switch the SDK to a crates.io dependency (hotdata = "x.y"), after which this config works as described; or
• Track the git source explicitly (point the dep at a branch/tag) and update the description/comment to reflect that Dependabot follows git, not crates.io.

[claude]

Prior blocking issue resolved: hotdata is now a crates.io dependency (Cargo.toml:19, version = "0.1.1") rather than a git rev pin, so Dependabot's crates.io tracking applies as the PR describes. Config is well-formed.