chore: consolidate dependency management to Renovate-only

chrisburr · chrisburr · commit aa1748abd683 · 2026-02-09T16:45:44.000+01:00
Replace Dependabot with Renovate for GitHub Actions version updates,
matching the approach already used in diracx-charts. Add documentation
covering the dependency management strategy across all project repos.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
diff --git a/docs/dev/explanations/dependency-management.md b/docs/dev/explanations/dependency-management.md
@@ -0,0 +1,44 @@
+# Dependency management
+
+DiracX uses [Renovate](https://docs.renovatebot.com/) to keep dependencies up to date across its repositories.
+All repos share a common baseline configuration with repository-specific rules where needed.
+
+## Shared settings
+
+Every `renovate.json` extends `config:recommended` and sets a **7-day minimum release age**.
+The cooldown period reduces exposure to broken or yanked releases — see
+[Renovate's *Minimum Release Age* docs](https://docs.renovatebot.com/configuration-options/#minimumreleaseage) for details.
+
+## Per-repository configuration
+
+### diracx
+
+| Dependency type                    | Manager          | Notes                                 |
+| ---------------------------------- | ---------------- | ------------------------------------- |
+| GitHub Actions                     | `github-actions` | Grouped into a single PR              |
+| Python packages (`pyproject.toml`) | `pep621`         | Auto-detected by `config:recommended` |
+| Dockerfiles                        | `dockerfile`     | Auto-detected by `config:recommended` |
+
+### diracx-charts
+
+| Dependency type                | Manager              | Notes                                  |
+| ------------------------------ | -------------------- | -------------------------------------- |
+| GitHub Actions                 | `github-actions`     | Grouped into a single PR               |
+| Helm chart dependencies        | `helmv3`             | Requires Dependency Dashboard approval |
+| Tool versions in `run_demo.sh` | Custom regex manager | Grouped into a single PR               |
+
+### diracx-web
+
+| Dependency type | Manager          | Notes                                 |
+| --------------- | ---------------- | ------------------------------------- |
+| GitHub Actions  | `github-actions` | Grouped into a single PR              |
+| npm packages    | `npm`            | Auto-detected by `config:recommended` |
+
+## What Renovate does *not* manage
+
+pre-commit hooks
+:   Managed by [pre-commit.ci](https://pre-commit.ci/), which opens its own update PRs.
+
+Security alerts
+:   GitHub's Dependabot **security alerts** remain enabled via repository settings.
+    These are independent of Dependabot *version updates*.
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -169,6 +169,7 @@ nav:
       - Run demo: dev/explanations/run_demo.md
       - Extensions: dev/explanations/extensions.md
       - Designing functionality: dev/explanations/designing-functionality.md
+      - Dependency management: dev/explanations/dependency-management.md
     - Reference:
       - dev/reference/index.md
       - Dev env variables: dev/reference/env-variables.md
diff --git a/renovate.json b/renovate.json
@@ -0,0 +1,12 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "minimumReleaseAge": "7 days",
+  "packageRules": [
+    {
+      "description": "Group all GitHub Actions updates together",
+      "matchManagers": ["github-actions"],
+      "groupName": "GitHub Actions"
+    }
+  ]
+}
