From b81303cf07852b7ee27da672e863c1a495842a4d Mon Sep 17 00:00:00 2001 From: Marius van Niekerk Date: Thu, 11 Jun 2026 10:17:14 -0400 Subject: [PATCH 1/2] Add Renovate dependency updates Renovate is now the dependency-update path used by roborev, and kit should follow the same workflow instead of relying on Dependabot-style configuration. Keeping the managers explicit limits automated PRs to the dependency surfaces this repo actually has today: pinned GitHub Actions and Go modules. Go dependency updates are grouped and run through gomodTidy so generated PRs are easier to review and leave module metadata consistent. Vulnerability alerts stay immediate while normal updates retain the release-age buffer from the roborev config. Validation: jq . renovate.json Generated with Codex Co-authored-by: Marius van Niekerk --- renovate.json | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..6212bb6 --- /dev/null +++ b/renovate.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["config:recommended"], + "dependencyDashboard": true, + "enabledManagers": ["github-actions", "gomod"], + "osvVulnerabilityAlerts": true, + "minimumReleaseAge": "7 days", + "minimumReleaseAgeBehaviour": "timestamp-required", + "prCreation": "not-pending", + "internalChecksFilter": "strict", + "vulnerabilityAlerts": { + "minimumReleaseAge": null, + "prCreation": "immediate" + }, + "packageRules": [ + { + "matchManagers": ["gomod"], + "groupName": "Go dependencies", + "groupSlug": "go-dependencies", + "postUpdateOptions": ["gomodTidy"] + } + ] +} From 50865f749db00bdcdd8a86d3013abf677fea80f7 Mon Sep 17 00:00:00 2001 From: Marius van Niekerk Date: Thu, 11 Jun 2026 10:19:01 -0400 Subject: [PATCH 2/2] Group Renovate JavaScript updates The base Renovate migration intentionally mirrors the current Go and GitHub Actions surfaces, but kit is expected to carry JavaScript dependency metadata separately. Enabling Renovate's npm manager in a follow-up keeps that concern reviewable on its own while allowing package.json, pnpm, npm, and Yarn lockfile updates to be handled by Renovate when those files are present. Grouping JavaScript dependency updates keeps the generated dependency-bump PR stream aligned with the grouped Go update behavior instead of producing one PR per package by default. Validation: jq . renovate.json Generated with Codex Co-authored-by: Marius van Niekerk --- renovate.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 6212bb6..01fea13 100644 --- a/renovate.json +++ b/renovate.json @@ -2,7 +2,7 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"], "dependencyDashboard": true, - "enabledManagers": ["github-actions", "gomod"], + "enabledManagers": ["github-actions", "gomod", "npm"], "osvVulnerabilityAlerts": true, "minimumReleaseAge": "7 days", "minimumReleaseAgeBehaviour": "timestamp-required", @@ -18,6 +18,11 @@ "groupName": "Go dependencies", "groupSlug": "go-dependencies", "postUpdateOptions": ["gomodTidy"] + }, + { + "matchManagers": ["npm"], + "groupName": "JavaScript dependencies", + "groupSlug": "javascript-dependencies" } ] }