|
| 1 | +{ |
| 2 | + $schema: "https://docs.renovatebot.com/renovate-schema.json", |
| 3 | + |
| 4 | + // ── Renovate replaces Dependabot for shapepipe ────────────────────────────── |
| 5 | + // |
| 6 | + // Why the switch: Dependabot's only noise control is grouping, and its |
| 7 | + // security channel bypasses even that — so a same-day burst of advisories |
| 8 | + // arrives as N separate PRs that a human must merge by hand. Renovate gives a |
| 9 | + // single Dependency Dashboard issue plus *branch automerge*: routine updates |
| 10 | + // land silently on green CI with no PR at all. The supply-chain posture from |
| 11 | + // the old dependabot.yml is carried over below and, via OSV, strengthened. |
| 12 | + // |
| 13 | + // Requires the Renovate GitHub App (or a self-hosted runner) — see the PR |
| 14 | + // body for the one-time org-admin step. |
| 15 | + |
| 16 | + extends: [ |
| 17 | + "config:recommended", |
| 18 | + "helpers:pinGitHubActionDigests", // keep GitHub Actions SHA-pinned, as before |
| 19 | + ], |
| 20 | + |
| 21 | + // One issue is the control surface: everything pending lives there, and |
| 22 | + // nothing that needs a human decision becomes a PR until ticked. |
| 23 | + dependencyDashboard: true, |
| 24 | + |
| 25 | + // pyproject declares ABSTRACT minimums; uv.lock holds the EXACT pins. Routine |
| 26 | + // updates therefore touch only the lockfile — abstract floors change solely by |
| 27 | + // deliberate human edit, never by the bot. (This makes the old "floor bumps |
| 28 | + // need maintainer sign-off" rule structural rather than a manual hold.) |
| 29 | + rangeStrategy: "update-lockfile", |
| 30 | + |
| 31 | + // Supply-chain cooldown (was 14d / 30d-major in dependabot.yml). 2025-26 saw a |
| 32 | + // wave of maintainer-compromise attacks (Shai-Hulud, …); a release-age gate |
| 33 | + // lets a malicious version be caught and yanked before it reaches us. |
| 34 | + minimumReleaseAge: "14 days", |
| 35 | + internalChecksFilter: "strict", // genuinely withhold updates until aged, not "surface as pending" |
| 36 | + |
| 37 | + // Keep the queue calm. |
| 38 | + prConcurrentLimit: 5, |
| 39 | + prHourlyLimit: 2, |
| 40 | + |
| 41 | + // Weekly batched lockfile refresh, merged on green CI — the routine |
| 42 | + // "keep uv.lock current" job, fully hands-off. |
| 43 | + lockFileMaintenance: { |
| 44 | + enabled: true, |
| 45 | + schedule: ["before 6am on monday"], |
| 46 | + automerge: true, |
| 47 | + }, |
| 48 | + |
| 49 | + // CVE fixes (GitHub alerts + OSV, which adds malicious-package detection) skip |
| 50 | + // the long cooldown but keep a short 3-day window, then automerge on green CI — |
| 51 | + // fast, not instant. Flip `automerge` to false here if you want eyes on every |
| 52 | + // security fix. |
| 53 | + osvVulnerabilityAlerts: true, |
| 54 | + vulnerabilityAlerts: { |
| 55 | + minimumReleaseAge: "3 days", |
| 56 | + automerge: true, |
| 57 | + labels: ["security"], |
| 58 | + }, |
| 59 | + |
| 60 | + packageRules: [ |
| 61 | + { |
| 62 | + // Routine minor / patch / digest: batch into ONE weekly branch and land |
| 63 | + // silently on green CI — no PR, no noise. (One branch = one container-build |
| 64 | + // CI run, which matters since that build is slow.) |
| 65 | + matchUpdateTypes: ["minor", "patch", "pin", "digest"], |
| 66 | + groupName: "all non-major", |
| 67 | + schedule: ["before 6am on monday"], |
| 68 | + automerge: true, |
| 69 | + automergeType: "branch", |
| 70 | + }, |
| 71 | + { |
| 72 | + // Majors: never silent, never auto. 30-day age, then surface on the |
| 73 | + // dashboard for explicit approval before a PR is even opened. |
| 74 | + matchUpdateTypes: ["major"], |
| 75 | + minimumReleaseAge: "30 days", |
| 76 | + dependencyDashboardApproval: true, |
| 77 | + }, |
| 78 | + { |
| 79 | + // ngmix is intentionally pinned to a tag in [tool.uv.sources] |
| 80 | + // (esheldon v2.4.0). Tag changes are a deliberate shape-measurement |
| 81 | + // decision, not a dependency bump — Renovate must not touch it. |
| 82 | + matchDepNames: ["ngmix"], |
| 83 | + enabled: false, |
| 84 | + }, |
| 85 | + ], |
| 86 | +} |
0 commit comments