Skip to content

Commit 223c396

Browse files
cailmdaleyclaude
andcommitted
chore(deps): migrate from Dependabot to Renovate
Replace Dependabot with Renovate to end the per-PR merge toil. Renovate gives a single Dependency Dashboard issue plus branch automerge: routine uv.lock updates land silently on green CI with no PR, while majors and pyproject-floor changes stay human-gated. Supply-chain posture carried over from dependabot.yml and sharpened: - rangeStrategy update-lockfile — routine updates touch only uv.lock, never the abstract pyproject floors (the old "floor bumps need sign-off" rule, now structural). - 14-day cooldown (30 for majors), as before; OSV alerts add malicious-package detection on top. - CVE fixes get a short 3-day window then automerge on green CI. - GitHub Actions stay SHA-pinned (helpers:pinGitHubActionDigests). Activation needs one org-admin step (install the Renovate app); see the PR description. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 28a5105 commit 223c396

2 files changed

Lines changed: 86 additions & 75 deletions

File tree

.github/dependabot.yml

Lines changed: 0 additions & 75 deletions
This file was deleted.

.github/renovate.json5

Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,86 @@
1+
{
2+
$schema: "https://docs.renovatebot.com/renovate-schema.json",
3+
4+
// ── Renovate replaces Dependabot for shapepipe ──────────────────────────────
5+
//
6+
// Why the switch: Dependabot's only noise control is grouping, and its
7+
// security channel bypasses even that — so a same-day burst of advisories
8+
// arrives as N separate PRs that a human must merge by hand. Renovate gives a
9+
// single Dependency Dashboard issue plus *branch automerge*: routine updates
10+
// land silently on green CI with no PR at all. The supply-chain posture from
11+
// the old dependabot.yml is carried over below and, via OSV, strengthened.
12+
//
13+
// Requires the Renovate GitHub App (or a self-hosted runner) — see the PR
14+
// body for the one-time org-admin step.
15+
16+
extends: [
17+
"config:recommended",
18+
"helpers:pinGitHubActionDigests", // keep GitHub Actions SHA-pinned, as before
19+
],
20+
21+
// One issue is the control surface: everything pending lives there, and
22+
// nothing that needs a human decision becomes a PR until ticked.
23+
dependencyDashboard: true,
24+
25+
// pyproject declares ABSTRACT minimums; uv.lock holds the EXACT pins. Routine
26+
// updates therefore touch only the lockfile — abstract floors change solely by
27+
// deliberate human edit, never by the bot. (This makes the old "floor bumps
28+
// need maintainer sign-off" rule structural rather than a manual hold.)
29+
rangeStrategy: "update-lockfile",
30+
31+
// Supply-chain cooldown (was 14d / 30d-major in dependabot.yml). 2025-26 saw a
32+
// wave of maintainer-compromise attacks (Shai-Hulud, …); a release-age gate
33+
// lets a malicious version be caught and yanked before it reaches us.
34+
minimumReleaseAge: "14 days",
35+
internalChecksFilter: "strict", // genuinely withhold updates until aged, not "surface as pending"
36+
37+
// Keep the queue calm.
38+
prConcurrentLimit: 5,
39+
prHourlyLimit: 2,
40+
41+
// Weekly batched lockfile refresh, merged on green CI — the routine
42+
// "keep uv.lock current" job, fully hands-off.
43+
lockFileMaintenance: {
44+
enabled: true,
45+
schedule: ["before 6am on monday"],
46+
automerge: true,
47+
},
48+
49+
// CVE fixes (GitHub alerts + OSV, which adds malicious-package detection) skip
50+
// the long cooldown but keep a short 3-day window, then automerge on green CI —
51+
// fast, not instant. Flip `automerge` to false here if you want eyes on every
52+
// security fix.
53+
osvVulnerabilityAlerts: true,
54+
vulnerabilityAlerts: {
55+
minimumReleaseAge: "3 days",
56+
automerge: true,
57+
labels: ["security"],
58+
},
59+
60+
packageRules: [
61+
{
62+
// Routine minor / patch / digest: batch into ONE weekly branch and land
63+
// silently on green CI — no PR, no noise. (One branch = one container-build
64+
// CI run, which matters since that build is slow.)
65+
matchUpdateTypes: ["minor", "patch", "pin", "digest"],
66+
groupName: "all non-major",
67+
schedule: ["before 6am on monday"],
68+
automerge: true,
69+
automergeType: "branch",
70+
},
71+
{
72+
// Majors: never silent, never auto. 30-day age, then surface on the
73+
// dashboard for explicit approval before a PR is even opened.
74+
matchUpdateTypes: ["major"],
75+
minimumReleaseAge: "30 days",
76+
dependencyDashboardApproval: true,
77+
},
78+
{
79+
// ngmix is intentionally pinned to a tag in [tool.uv.sources]
80+
// (esheldon v2.4.0). Tag changes are a deliberate shape-measurement
81+
// decision, not a dependency bump — Renovate must not touch it.
82+
matchDepNames: ["ngmix"],
83+
enabled: false,
84+
},
85+
],
86+
}

0 commit comments

Comments
 (0)