Update renovate config

[AlexSkrypnyk]

Updated renovate config via 🤠 RepoRanger.

Summary by CodeRabbit

• Chores
  • Streamlined dependency management configuration with consolidated package handling rules
  • Enabled automatic merging of dependency updates
  • Activated dependency dashboard for visibility into available updates
  • Enabled digest pinning for enhanced package integrity

[coderabbitai]

Walkthrough

Simplifies renovate.json configuration by removing granular package groupings and dependency-specific rules, replacing them with a single catch-all "all dependencies" rule. Enables automerge, dependencyDashboard, and pinDigests features while maintaining the existing branch prefix.

Changes

Cohort / File(s)	Summary
Renovate Configuration Consolidation renovate.json	Removes multi-block package rules with schedules, file-name matching, and datasource-specific configurations. Consolidates ~15 granular groups and custom managers into a single broad rule (matchPackageNames: ["*"]) with grouping as "all dependencies". Adds automerge, dependencyDashboard, and pinDigests settings.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Updated Renovate config to only update deps in the root of the project. #2277: Directly conflicts with this PR—removes matchFileNames and granular packageRules in favor of a single "all dependencies" rule, undoing previous file-scoping changes.
• Add config to Renovate to update root FE deps. #2278: Overlapping renovate.json edits—introduces npm-specific package rules and manager configurations while this PR consolidates rules broadly.
• Updated Renovate configuration to name all groups consistently and exclude language version updates. #2321: Related configuration restructuring—modifies grouping strategies, package-rule configurations, and pinDigests settings in renovate.json.

Poem

🐰 Configuration springs simplified and clean,
Granular rules fade, one broad path is seen,
Dependencies grouped in harmony's fold,
A rabbit hops fast through one path, not a thousand—bold! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Update renovate config' is vague and generic, using non-descriptive language that doesn't convey the specific nature of the substantial changes made.	Consider a more specific title that reflects the main change, such as 'Simplify renovate config with consolidated dependency rules' to better describe the significant refactoring from granular groupings to a unified approach.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/repo-ranger-renovate

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@renovate.json`:
- Around line 20-22: The current Renovate rule only disables major updates for
managers listed in "matchManagers" (npm, composer), so Docker Compose majors can
still automerge; update the rule in renovate.json to include the docker-compose
manager (add "docker-compose" to "matchManagers") or remove "matchManagers" so
"matchUpdateTypes": ["major"] applies repo-wide, and ensure "enabled": false
remains for that rule so major updates across all managers (including
docker-compose) are blocked from automerge.
- Line 3: The root-level "automerge" setting is currently true and applies to
all Renovate PRs; change the root "automerge" to false and add a packageRules
array that enables automerge only for low-risk updateTypes (e.g., "patch",
"digest", and optionally "minor") so large mixed or high-risk groups won't
auto-merge; update the renovate.json to add a packageRules entry targeting those
updateTypes and/or specific packagePatterns while leaving other updates
requiring manual review.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7493e1c3-922c-4b49-bf9f-f09de940bebb

📥 Commits

Reviewing files that changed from the base of the PR and between 277d45d and bac0b29.

📒 Files selected for processing (1)

• renovate.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In Renovate, does root-level automerge: trueapply to grouped PRs created by a catch-allpackageRules group (matchPackageNames: ["*"])? What do Renovate docs recommend as a safe automerge strategy for grouped updates?

💡 Result:

Yes. In Renovate, a root-level "automerge": true becomes the default for all updates (including grouped PRs) unless a matching packageRules entry overrides it. Renovate evaluates all matching packageRules and merges their resulting config, with later rules able to override earlier ones—so a catch-all grouping rule like matchPackageNames: ["*"] + groupName: ... will still inherit root automerge: true if it doesn’t set automerge itself. [1] Grouping (groupName) just changes how updates are bundled into branches/PRs; it doesn’t disable automerge by itself. [2]

Docs’ safer automerge strategy for grouped updates: Renovate maintainers recommend enabling automerge only for updates you’d “merge anyway,” and commonly for lower-risk updates (e.g., lock file maintenance, dev tooling, and non-major updates when you have good tests). [3] Their examples show scoping automerge with packageRules (e.g., only patch/minor, and excluding pre-1.0.0 because SemVer allows breaking changes there), which is especially important if you’re grouping. [4] They also explicitly show automerging within a group by combining matchUpdateTypes: ["patch","minor"] with automerge: true. [5] If you want extra safety, the docs also note splitting patch vs minor (so you can automerge patch while reviewing minor) using separateMinorPatch: true. [6]

Sources
[1] https://docs.renovatebot.com/configuration-options/
[2] https://docs.renovatebot.com/configuration-options/#groupname
[3] https://docs.renovatebot.com/key-concepts/automerge/
[4] https://docs.renovatebot.com/key-concepts/automerge/#automerge-non-major-updates
[5] https://docs.renovatebot.com/key-concepts/automerge/#automerge-monorepo-prs
[6] https://docs.renovatebot.com/configuration-options/#separateminorpatch

---

Remove root-level automerge or scope it to safe update types.

Root-level "automerge": true (line 3) applies to all PRs, including the catch-all dependency group (lines 25–27). This creates high blast radius: a single large mixed-update PR can auto-merge on green CI, bypassing staged rollout safety.

Renovate docs recommend scoping automerge to lower-risk updates only (e.g., patch, minor, digest). Set root automerge to false and add a packageRule to automerge only specific update types:

Safer config

-    "automerge": true,
+    "automerge": false,
         {
             "matchPackageNames": ["*"],
             "groupName": "all dependencies",
             "groupSlug": "all"
+        },
+        {
+            "matchUpdateTypes": ["patch", "minor", "digest", "pin"],
+            "automerge": true
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@renovate.json` at line 3, The root-level "automerge" setting is currently
true and applies to all Renovate PRs; change the root "automerge" to false and
add a packageRules array that enables automerge only for low-risk updateTypes
(e.g., "patch", "digest", and optionally "minor") so large mixed or high-risk
groups won't auto-merge; update the renovate.json to add a packageRules entry
targeting those updateTypes and/or specific packagePatterns while leaving other
updates requiring manual review.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Detecting common non-npm/composer manifests that Renovate may manage:"
fd -HI '(Dockerfile|docker-compose\.ya?ml|Chart\.yaml|values\.yaml|\.github/workflows/.*\.ya?ml|requirements\.txt|pyproject\.toml|Pipfile|go\.mod|pom\.xml|build\.gradle|Gemfile|Cargo\.toml)$' .

echo
echo "If files are listed above, consider whether major updates for those managers should also be disabled."

Repository: drevops/vortex

Length of output: 2612

---

🏁 Script executed:

cat -n renovate.json

Repository: drevops/vortex

Length of output: 1021

---

🏁 Script executed:

fd -HI '(renovate\.json|\.renovaterc|\.renovaterc\.json|\.renovaterc\.js|\.renovaterc\.cjs|renovate\.json5)$' .

Repository: drevops/vortex

Length of output: 402

---

Major-update blocking is too narrow for repo-wide automerge.

This rule disables majors only for npm and composer (lines 20-22). Since the repo includes docker-compose.yml and Renovate is configured with "extends": ["config:recommended"], the docker-compose manager is active. Its major updates are not blocked and may auto-merge due to the global "automerge": true setting.

Suggested guardrail

         {
-            "matchManagers": ["npm", "composer"],
             "matchUpdateTypes": ["major"],
             "enabled": false
         },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 20 - 22, The current Renovate rule only disables
major updates for managers listed in "matchManagers" (npm, composer), so Docker
Compose majors can still automerge; update the rule in renovate.json to include
the docker-compose manager (add "docker-compose" to "matchManagers") or remove
"matchManagers" so "matchUpdateTypes": ["major"] applies repo-wide, and ensure
"enabled": false remains for that rule so major updates across all managers
(including docker-compose) are blocked from automerge.

[github-actions]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   100.00% (189/189)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

[AlexSkrypnyk]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   100.00% (189/189)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.32%. Comparing base (277d45d) to head (bac0b29).

❗ There is a different number of reports uploaded between BASE (277d45d) and HEAD (bac0b29). Click for more details.

HEAD has 5 uploads less than BASE

Flag	BASE (277d45d)	HEAD (bac0b29)
	10	5

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2398       +/-   ##
===========================================
- Coverage   79.37%   68.32%   -11.06%     
===========================================
  Files         126       42       -84     
  Lines        6711     2510     -4201     
  Branches       44        0       -44     
===========================================
- Hits         5327     1715     -3612     
+ Misses       1384      795      -589     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.