Skip to content

chore: Move github-actions updates from Dependabot to Renovate#46

Open
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
chore/seceng-299-renovate-config
Open

chore: Move github-actions updates from Dependabot to Renovate#46
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
chore/seceng-299-renovate-config

Conversation

@devin-ai-integration
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot commented May 4, 2026
edited
Loading

Description

Moves management of GitHub Actions updates from Dependabot to Renovate. Dependabot continues to manage npm dependencies as today.

Changes:

  • .github/dependabot.yml — removes the github-actions block. The npm block is unchanged.
  • renovate.json (new) — extends the shared workos/renovate-config preset, scoped via enabledManagers: ["github-actions"] so Renovate does NOT touch npm.

Behavior gained from Renovate:

  • Automatic SHA pinning of any newly-added GitHub Actions via helpers:pinGitHubActionDigests.
  • 7-day cooldown on all GitHub Actions updates (minimumReleaseAge: "7 days" + minimumReleaseAgeBehaviour: "timestamp-required") — protects against compromised-but-not-yet-detected releases. Dependabot's GA cooldown was buggy enough we picked Renovate for this rollout.
  • Grouped, automerged minor/patch/digest GitHub Actions updates after CI passes.
  • Manual review for major version bumps.

The shared preset lives at https://github.com/workos/renovate-config and any policy change is a single edit there that propagates to every consuming repo.

Refs SECENG-299.

Checklist

  • I have run npm run lint, npm run typecheck, npm run build, and npm test locally.
    • N/A — config-only change. The repo's lint/typecheck/build/test scripts don't touch dependency-management config.
  • I have updated the README or other docs if behavior changed.
    • N/A — no behavior change for consumers of this repo.
  • I have added or updated tests if appropriate.
    • N/A — config-only change.

Reviewer checklist (in addition to the above):

  • Confirm the Mend Renovate GitHub App is installed on this repo at https://developer.mend.io/github/workos. Without it, the new renovate.json is inert.
  • Verify there are no in-flight Dependabot PRs for github-actions that should be closed/redirected after this merges.
  • Optional: validate the JSON with npx --yes --package renovate -- renovate-config-validator renovate.json.

Link to Devin session: https://app.devin.ai/sessions/337e586a7c3e40ce8da2d048b402e6f5

Open in Devin Review

@willporter-workos
chore: Move github-actions updates from Dependabot to Renovate
b8f4815 
- Remove the github-actions block from .github/dependabot.yml
- Add renovate.json extending the shared workos/renovate-config preset

Renovate (Mend) takes over GitHub Actions updates with:
- Automatic SHA-pinning of any newly-added Actions
- 7-day minimumReleaseAge gating
- Grouped, automerged minor/patch/digest updates
- Manual review for major version bumps

Dependabot continues to manage npm dependencies as today.

See https://github.com/workos/renovate-config for the preset.

Refs SECENG-299.
@devin-ai-integration
Copy link
Copy Markdown
Contributor Author

devin-ai-integration Bot commented May 4, 2026

Original prompt from will.porter

'Implement Dependency Management for GitHub Workflow SHA pins' (SECENG-299)

User instruction: @devin lets consider ways to ease the pain of updating the sha pins. Dependabot or renovate configs may be a valid solution. Note that we will want some kind of feature such as minimumReleaseAge to prevent us from adopting workflows that are less than 7 days old. Please present options with pros and cons before implementing anything

@devin-ai-integration
Copy link
Copy Markdown
Contributor Author

devin-ai-integration Bot commented May 4, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@linear-code
Copy link
Copy Markdown

linear-code Bot commented May 4, 2026

SECENG-299 Implement Dependency Management for GitHub Workflow SHA pins

devin-ai-integration[bot]
devin-ai-integration Bot commented May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@willporter-workos