From 8e7d5ff612e8249c07f27c10741938167fd8e000 Mon Sep 17 00:00:00 2001
From: Chris Burr <christopher.burr@cern.ch>
Date: Mon, 9 Feb 2026 16:42:15 +0100
Subject: [PATCH] chore: consolidate dependency management to Renovate-only

Replace Dependabot with Renovate for GitHub Actions version updates,
matching the approach already used in diracx-charts. Add documentation
covering the dependency management strategy across all project repos.
---
 .github/dependabot.yml                        | 11 -----
 .../dev/explanations/dependency-management.md | 44 +++++++++++++++++++
 mkdocs.yml                                    |  1 +
 renovate.json                                 | 12 +++++
 4 files changed, 57 insertions(+), 11 deletions(-)
 delete mode 100644 .github/dependabot.yml
 create mode 100644 docs/dev/explanations/dependency-management.md
 create mode 100644 renovate.json

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index 6c4b36953..000000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-version: 2
-updates:
-  # Maintain dependencies for GitHub Actions
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    groups:
-      actions:
-        patterns:
-          - "*"
diff --git a/docs/dev/explanations/dependency-management.md b/docs/dev/explanations/dependency-management.md
new file mode 100644
index 000000000..cc897874f
--- /dev/null
+++ b/docs/dev/explanations/dependency-management.md
@@ -0,0 +1,44 @@
+# Dependency management
+
+DiracX uses [Renovate](https://docs.renovatebot.com/) to keep dependencies up to date across its repositories.
+All repos share a common baseline configuration with repository-specific rules where needed.
+
+## Shared settings
+
+Every `renovate.json` extends `config:recommended` and sets a **7-day minimum release age**.
+The cooldown period reduces exposure to broken or yanked releases — see
+[Renovate's *Minimum Release Age* docs](https://docs.renovatebot.com/configuration-options/#minimumreleaseage) for details.
+
+## Per-repository configuration
+
+### diracx
+
+| Dependency type                    | Manager          | Notes                                 |
+| ---------------------------------- | ---------------- | ------------------------------------- |
+| GitHub Actions                     | `github-actions` | Grouped into a single PR              |
+| Python packages (`pyproject.toml`) | `pep621`         | Auto-detected by `config:recommended` |
+| Dockerfiles                        | `dockerfile`     | Auto-detected by `config:recommended` |
+
+### diracx-charts
+
+| Dependency type                | Manager              | Notes                                  |
+| ------------------------------ | -------------------- | -------------------------------------- |
+| GitHub Actions                 | `github-actions`     | Grouped into a single PR               |
+| Helm chart dependencies        | `helmv3`             | Requires Dependency Dashboard approval |
+| Tool versions in `run_demo.sh` | Custom regex manager | Grouped into a single PR               |
+
+### diracx-web
+
+| Dependency type | Manager          | Notes                                 |
+| --------------- | ---------------- | ------------------------------------- |
+| GitHub Actions  | `github-actions` | Grouped into a single PR              |
+| npm packages    | `npm`            | Auto-detected by `config:recommended` |
+
+## What Renovate does *not* manage
+
+pre-commit hooks
+:   Managed by [pre-commit.ci](https://pre-commit.ci/), which opens its own update PRs.
+
+Security alerts
+:   GitHub's Dependabot **security alerts** remain enabled via repository settings.
+    These are independent of Dependabot *version updates*.
diff --git a/mkdocs.yml b/mkdocs.yml
index 462c4d046..a36d27f4c 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -169,6 +169,7 @@ nav:
       - Run demo: dev/explanations/run_demo.md
       - Extensions: dev/explanations/extensions.md
       - Designing functionality: dev/explanations/designing-functionality.md
+      - Dependency management: dev/explanations/dependency-management.md
     - Reference:
       - dev/reference/index.md
       - Dev env variables: dev/reference/env-variables.md
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 000000000..8dcb1bc0e
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,12 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "minimumReleaseAge": "7 days",
+  "packageRules": [
+    {
+      "description": "Group all GitHub Actions updates together",
+      "matchManagers": ["github-actions"],
+      "groupName": "GitHub Actions"
+    }
+  ]
+}