Skip to content

ci: replace Dependabot with Renovate (single-PR dependency updates)#123

Merged
AdamXweb merged 1 commit into
mainfrom
feat/wizardly-noether-cce5d9
Jul 7, 2026
Merged

ci: replace Dependabot with Renovate (single-PR dependency updates)#123
AdamXweb merged 1 commit into
mainfrom
feat/wizardly-noether-cce5d9

Conversation

@adamXbot

@adamXbot adamXbot commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Why

Dependabot has been unhelpful here: its pnpm support left pnpm-lock.yaml stale (needing a manual regen), and it fanned each ecosystem into separate, mutually-conflicting PRs — merge one and the rest's lockfiles conflict. This switches routine dependency updates to Renovate, which regenerates the lockfile natively and produces one grouped PR.

What changed

  • renovate.json (new) — semver-safe. Bundles every non-major update across all four ecosystems (npm, cargo, docker, github-actions) into a single PR on a stable branch, with native pnpm-lock.yaml regen. Major upgrades are parked on the Dependency Dashboard (dependencyDashboardApproval) for one-at-a-time review. Weekly Monday schedule (Australia/Melbourne); the app's own published image in the deploy compose files is ignored.
  • .github/workflows/renovate.yml (new) — self-hosted runner: weekly cron + a workflow_dispatch dry-run button that previews the PR without opening it. Header documents the token requirement and the hosted-app alternative.
  • .github/dependabot.yml (removed) — superseded; leaving it would duplicate Renovate's PRs.
  • .github/workflows/codeql.yml — adds a paths-filtered pull_request trigger so dependency PRs get a pre-merge CodeQL scan. Broad PR scanning stays off to respect the free-tier cost tradeoff.
  • AGENTS.md — documents the Renovate setup so it isn't reverted.

Testing done

  • renovate-config-validatorConfig validated successfully.
  • Workflow YAML + expressions validated (no tabs, balanced ${{ }}).

⚠️ Admin action required before this is useful (pick ONE)

PRs opened with the default GITHUB_TOKEN do not trigger on: pull_request CI (GitHub recursion guard), so an update PR would show green with no checks. To fix:

  1. Add a RENOVATE_TOKEN secret (fine-grained PAT / GitHub App token with contents + PRs + workflows) — the workflow uses it and CI fires. Dry runs work today with no token., or
  2. Install the hosted Mend Renovate GitHub App — its PRs trigger CI automatically; if you do this, delete renovate.yml (same renovate.json drives it).

Also: once Renovate is live, turn off "Dependabot security updates" in repo Settings so security PRs aren't duplicated (Renovate's vulnerabilityAlerts takes over).

How to test

Actions ▸ Renovate ▸ Run workflow, leave dryRun: full → the logs show the exact single PR it would open (incl. the lockfile bump) without creating anything. Flip to null to go live.

🤖 Generated with Claude Code

Dependabot's pnpm support left pnpm-lock.yaml stale (manual regen needed)
and fanned each ecosystem out into separate, mutually-conflicting PRs.
Renovate regenerates the lockfile natively and bundles every non-major
update across all four ecosystems (npm, cargo, docker, github-actions)
into a single PR on a stable branch. Major upgrades are held on the
Dependency Dashboard for one-at-a-time review.

- Add renovate.json: semver-safe grouping, majors gated by dashboard
  approval, weekly Monday schedule, native pnpm-lock regen, self-image
  in deploy compose ignored.
- Add .github/workflows/renovate.yml: self-hosted runner with a
  workflow_dispatch dry-run preview + weekly cron. Header documents the
  RENOVATE_TOKEN requirement (GITHUB_TOKEN PRs don't trigger CI) and the
  Mend-app alternative.
- Remove .github/dependabot.yml (superseded; keeping it would duplicate
  Renovate's PRs).
- codeql.yml: add a paths-filtered pull_request trigger so dependency
  PRs are security-scanned pre-merge; broad PR scanning stays off to
  respect the free-tier cost tradeoff.
- Document the Renovate setup in AGENTS.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants