Description
Currently dependency update configuration is handled at the repository level using Dependabot configuration. This means that:
-
Dependency update tooling isn't enforced across all repositories in the sigstore organisation
Dependency update tools are recommended by OSSF scorecard1
-
There's a lot of manual effort going on to update dependencies that Dependabot doesn't handle
For example this commit updating versions in helm charts can be done by Renovate. Our own helm-charts2 are maintained this way.
I'm suggesting an organization-level configuration3 for Renovate, with repository level configuration overrides where required. It can evolve and grow over time to better fit the needs of sigstore maintainers, but a simple example might look like:
`sigstore/.github/default.json`
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"description": "Default preset for use with sigstore's repositories",
"extends": ["config:base"]
}
In this repository, with renovate.json files in each individual repository that refer back to the organization-level configuration like so:
`sigstore/.github/default.json`
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["github>sigstore/.github"],
}
I am happy to implement this, and narrow down a config that fits your existing workflow, if this would be a welcome contribution 😅
References
Repos that currently have Dependabot configured
Description
Currently dependency update configuration is handled at the repository level using Dependabot configuration. This means that:
Dependency update tooling isn't enforced across all repositories in the sigstore organisation
Dependency update tools are recommended by OSSF scorecard1
There's a lot of manual effort going on to update dependencies that Dependabot doesn't handle
For example this commit updating versions in helm charts can be done by Renovate. Our own helm-charts2 are maintained this way.
I'm suggesting an organization-level configuration3 for Renovate, with repository level configuration overrides where required. It can evolve and grow over time to better fit the needs of sigstore maintainers, but a simple example might look like:
`sigstore/.github/default.json`
{ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "description": "Default preset for use with sigstore's repositories", "extends": ["config:base"] }In this repository, with
renovate.jsonfiles in each individual repository that refer back to the organization-level configuration like so:`sigstore/.github/default.json`
{ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["github>sigstore/.github"], }I am happy to implement this, and narrow down a config that fits your existing workflow, if this would be a welcome contribution 😅
References
Repos that currently have Dependabot configured
Footnotes
https://github.com/ossf/scorecard/blob/38be00c31f4f078120219ec3aaa76560835199fb/docs/checks.md?plain=1#L293-L295 ↩
https://github.com/renovatebot/helm-charts/commit/d7505047211d5c20d7c73e4bf5cb0361c92bd615 ↩
https://docs.renovatebot.com/config-presets/#organization-level-presets ↩