ci: replace Dependabot with Renovate (single-PR dependency updates)#123
Merged
Conversation
Dependabot's pnpm support left pnpm-lock.yaml stale (manual regen needed) and fanned each ecosystem out into separate, mutually-conflicting PRs. Renovate regenerates the lockfile natively and bundles every non-major update across all four ecosystems (npm, cargo, docker, github-actions) into a single PR on a stable branch. Major upgrades are held on the Dependency Dashboard for one-at-a-time review. - Add renovate.json: semver-safe grouping, majors gated by dashboard approval, weekly Monday schedule, native pnpm-lock regen, self-image in deploy compose ignored. - Add .github/workflows/renovate.yml: self-hosted runner with a workflow_dispatch dry-run preview + weekly cron. Header documents the RENOVATE_TOKEN requirement (GITHUB_TOKEN PRs don't trigger CI) and the Mend-app alternative. - Remove .github/dependabot.yml (superseded; keeping it would duplicate Renovate's PRs). - codeql.yml: add a paths-filtered pull_request trigger so dependency PRs are security-scanned pre-merge; broad PR scanning stays off to respect the free-tier cost tradeoff. - Document the Renovate setup in AGENTS.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This was referenced Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Dependabot has been unhelpful here: its pnpm support left
pnpm-lock.yamlstale (needing a manual regen), and it fanned each ecosystem into separate, mutually-conflicting PRs — merge one and the rest's lockfiles conflict. This switches routine dependency updates to Renovate, which regenerates the lockfile natively and produces one grouped PR.What changed
renovate.json(new) — semver-safe. Bundles every non-major update across all four ecosystems (npm, cargo, docker, github-actions) into a single PR on a stable branch, with nativepnpm-lock.yamlregen. Major upgrades are parked on the Dependency Dashboard (dependencyDashboardApproval) for one-at-a-time review. Weekly Monday schedule (Australia/Melbourne); the app's own published image in the deploy compose files is ignored..github/workflows/renovate.yml(new) — self-hosted runner: weekly cron + aworkflow_dispatchdry-run button that previews the PR without opening it. Header documents the token requirement and the hosted-app alternative..github/dependabot.yml(removed) — superseded; leaving it would duplicate Renovate's PRs..github/workflows/codeql.yml— adds a paths-filteredpull_requesttrigger so dependency PRs get a pre-merge CodeQL scan. Broad PR scanning stays off to respect the free-tier cost tradeoff.AGENTS.md— documents the Renovate setup so it isn't reverted.Testing done
renovate-config-validator→ Config validated successfully.${{ }}).PRs opened with the default
GITHUB_TOKENdo not triggeron: pull_requestCI (GitHub recursion guard), so an update PR would show green with no checks. To fix:RENOVATE_TOKENsecret (fine-grained PAT / GitHub App token with contents + PRs + workflows) — the workflow uses it and CI fires. Dry runs work today with no token., orrenovate.yml(samerenovate.jsondrives it).Also: once Renovate is live, turn off "Dependabot security updates" in repo Settings so security PRs aren't duplicated (Renovate's
vulnerabilityAlertstakes over).How to test
Actions ▸ Renovate ▸ Run workflow, leave
dryRun: full→ the logs show the exact single PR it would open (incl. the lockfile bump) without creating anything. Flip tonullto go live.🤖 Generated with Claude Code