Skip to content

Add Renovate or Dependabot for automated dependency updates #48

Open
Open
Add Renovate or Dependabot for automated dependency updates#48
Labels
enhancementNew feature or request
@haasonsaas

Description

@haasonsaas
haasonsaas
opened on Apr 12, 2026

Problem

No renovate.json or .dependabot.yml exists in any EvalOps repository. Dependencies drift silently. When a CVE drops for pgx, NATS, OPA, or any transitive dependency, the org will find out from a security incident rather than an automated PR.

Specific drift observed:

Proposal

Option A: Renovate (recommended)

Create a shared renovate.json template:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],
  "go": {
    "rangeStrategy": "bump"
  },
  "schedule": ["before 9am on Monday"],
  "automerge": true,
  "automergeType": "pr",
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "automerge": true
    },
    {
      "matchUpdateTypes": ["minor", "major"],
      "automerge": false
    }
  ]
}

Option B: Dependabot

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 5

Rollout

Add to all Go service repos (14 total). Start with service-runtime since it's the dependency root.

Impact

  • Automated vulnerability detection
  • Keeps dependencies fresh with minimal manual effort
  • Patches auto-merged, minor/major versions create PRs for review

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions