Skip to content

Update renovate config #2398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
AlexSkrypnyk wants to merge 1 commit into from
Closed

Update renovate config #2398

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
200 changes: 15 additions & 185 deletions renovate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,200 +1,30 @@
{
"extends": [
"config:recommended"
],
"branchPrefix": "deps/",
"labels": [
"Dependencies"
],
"assignees": [],
"ignorePresets": [
":prHourlyLimit2"
],
"extends": ["config:recommended"],
"automerge": true,

@coderabbitai coderabbitai Bot Mar 17, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In Renovate, does root-level automerge: trueapply to grouped PRs created by a catch-allpackageRules group (matchPackageNames: ["*"])? What do Renovate docs recommend as a safe automerge strategy for grouped updates?

💡 Result:

Yes. In Renovate, a root-level "automerge": true becomes the default for all updates (including grouped PRs) unless a matching packageRules entry overrides it. Renovate evaluates all matching packageRules and merges their resulting config, with later rules able to override earlier ones—so a catch-all grouping rule like matchPackageNames: ["*"] + groupName: ... will still inherit root automerge: true if it doesn’t set automerge itself. [1] Grouping (groupName) just changes how updates are bundled into branches/PRs; it doesn’t disable automerge by itself. [2]

Docs’ safer automerge strategy for grouped updates: Renovate maintainers recommend enabling automerge only for updates you’d “merge anyway,” and commonly for lower-risk updates (e.g., lock file maintenance, dev tooling, and non-major updates when you have good tests). [3] Their examples show scoping automerge with packageRules (e.g., only patch/minor, and excluding pre-1.0.0 because SemVer allows breaking changes there), which is especially important if you’re grouping. [4] They also explicitly show automerging within a group by combining matchUpdateTypes: ["patch","minor"] with automerge: true. [5] If you want extra safety, the docs also note splitting patch vs minor (so you can automerge patch while reviewing minor) using separateMinorPatch: true. [6]

Sources
[1] https://docs.renovatebot.com/configuration-options/
[2] https://docs.renovatebot.com/configuration-options/#groupname
[3] https://docs.renovatebot.com/key-concepts/automerge/
[4] https://docs.renovatebot.com/key-concepts/automerge/#automerge-non-major-updates
[5] https://docs.renovatebot.com/key-concepts/automerge/#automerge-monorepo-prs
[6] https://docs.renovatebot.com/configuration-options/#separateminorpatch

Remove root-level automerge or scope it to safe update types.

Root-level "automerge": true (line 3) applies to all PRs, including the catch-all dependency group (lines 25–27). This creates high blast radius: a single large mixed-update PR can auto-merge on green CI, bypassing staged rollout safety.

Renovate docs recommend scoping automerge to lower-risk updates only (e.g., patch, minor, digest). Set root automerge to false and add a packageRule to automerge only specific update types:

Safer config 
-    "automerge": true,
+    "automerge": false,
         {
             "matchPackageNames": ["*"],
             "groupName": "all dependencies",
             "groupSlug": "all"
+        },
+        {
+            "matchUpdateTypes": ["patch", "minor", "digest", "pin"],
+            "automerge": true
         }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@renovate.json` at line 3, The root-level "automerge" setting is currently
true and applies to all Renovate PRs; change the root "automerge" to false and
add a packageRules array that enables automerge only for low-risk updateTypes
(e.g., "patch", "digest", and optionally "minor") so large mixed or high-risk
groups won't auto-merge; update the renovate.json to add a packageRules entry
targeting those updateTypes and/or specific packagePatterns while leaving other
updates requiring manual review.

"rangeStrategy": "bump",
"timezone": "UTC",
"configMigration": true,
"ignorePaths": [
".vortex/**"
],
"enabledManagers": [
"composer",
"npm",
"dockerfile",
"docker-compose",
"github-actions",
"custom.regex"
],
"dependencyDashboard": true,
"pinDigests": true,
"branchPrefix": "deps/",
"packageRules": [
{
"groupName": "PHP - Language version - Skipped to update manually",
"groupSlug": "php-language-version",
"matchDepNames": [
"php"
],
"matchManagers": [
"composer"
],
"matchDepNames": ["php"],
"matchManagers": ["composer"],
"enabled": false
},
{
"groupName": "JavaScript - Language versions - Skipped to update manually",
"groupSlug": "js-language-versions",
"matchDepNames": [
"node",
"yarn"
],
"matchManagers": [
"npm"
],
"matchDepNames": ["node", "yarn"],
"matchManagers": ["npm"],
"enabled": false
},
{
"groupName": "PHP - All packages - Major - Skipped to update manually",
"groupSlug": "php-all-major",
"matchDatasources": [
"packagist"
],
"matchFileNames": [
"composer.json"
],
"matchUpdateTypes": [
"major"
],
"enabled": false,
"matchPackageNames": [
"/.*/"
]
},
{
"groupName": "PHP - All packages except core - Minor and patch",
"groupSlug": "php-all-except-core-minor-patch",
"matchDatasources": [
"packagist"
],
"matchFileNames": [
"composer.json"
],
"separateMinorPatch": false,
"schedule": [
"before 2am on Sunday"
],
"matchPackageNames": [
"/.*/",
"!drupal/core-composer-scaffold",
"!drupal/core-project-message",
"!drupal/core-recommended",
"!drupal/core-dev"
]
},
{
"groupName": "PHP - Drupal core - Minor and patch",
"groupSlug": "php-drupal-core-minor-patch",
"matchFileNames": [
"composer.json"
],
"schedule": [
"before 2am"
],
"matchDatasources": [
"packagist"
],
"matchUpdateTypes": [
"patch",
"minor"
],
"matchDepNames": [
"drupal/core-composer-scaffold",
"drupal/core-project-message",
"drupal/core-recommended",
"drupal/core-dev"
]
},
{
"groupName": "JavaScript - Non-root packages - Skipped to update manually",
"groupSlug": "js-non-root",
"matchDatasources": [
"npm"
],
"matchFileNames": [
"!package.json"
],
"enabled": false,
"matchPackageNames": [
"/.*/"
]
},
{
"groupName": "JavaScript - All packages - Major - Skipped to update manually",
"groupSlug": "js-all-major",
"matchDatasources": [
"npm"
],
"matchFileNames": [
"package.json"
],
"matchUpdateTypes": [
"major"
],
"enabled": false,
"matchPackageNames": [
"/.*/"
]
},
{
"groupName": "JavaScript - All packages - Minor and patch",
"groupSlug": "js-all-minor-patch",
"matchDatasources": [
"npm"
],
"matchFileNames": [
"package.json"
],
"separateMinorPatch": false,
"schedule": [
"before 2am on Sunday"
],
"matchPackageNames": [
"/.*/"
]
},
{
"groupName": "Container images - All - Major, minor and patch",
"groupSlug": "container-images-all-major-minor-patch",
"matchFileNames": [
".docker/**"
],
"schedule": [
"before 3am"
],
"matchManagers": [
"dockerfile",
"docker-compose",
"custom.regex"
]
"matchManagers": ["npm", "composer"],
"matchUpdateTypes": ["major"],
"enabled": false
Comment on lines +20 to +22

@coderabbitai coderabbitai Bot Mar 17, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Detecting common non-npm/composer manifests that Renovate may manage:"
fd -HI '(Dockerfile|docker-compose\.ya?ml|Chart\.yaml|values\.yaml|\.github/workflows/.*\.ya?ml|requirements\.txt|pyproject\.toml|Pipfile|go\.mod|pom\.xml|build\.gradle|Gemfile|Cargo\.toml)$' .

echo
echo "If files are listed above, consider whether major updates for those managers should also be disabled."

Repository: drevops/vortex

Length of output: 2612

🏁 Script executed:

cat -n renovate.json

Repository: drevops/vortex

Length of output: 1021

🏁 Script executed:

fd -HI '(renovate\.json|\.renovaterc|\.renovaterc\.json|\.renovaterc\.js|\.renovaterc\.cjs|renovate\.json5)$' .

Repository: drevops/vortex

Length of output: 402

Major-update blocking is too narrow for repo-wide automerge.

This rule disables majors only for npm and composer (lines 20-22). Since the repo includes docker-compose.yml and Renovate is configured with "extends": ["config:recommended"], the docker-compose manager is active. Its major updates are not blocked and may auto-merge due to the global "automerge": true setting.

Suggested guardrail 
         {
-            "matchManagers": ["npm", "composer"],
             "matchUpdateTypes": ["major"],
             "enabled": false
         },
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 20 - 22, The current Renovate rule only disables
major updates for managers listed in "matchManagers" (npm, composer), so Docker
Compose majors can still automerge; update the rule in renovate.json to include
the docker-compose manager (add "docker-compose" to "matchManagers") or remove
"matchManagers" so "matchUpdateTypes": ["major"] applies repo-wide, and ensure
"enabled": false remains for that rule so major updates across all managers
(including docker-compose) are blocked from automerge.

},
{
"groupName": "GitHub Actions - All - Major, minor and patch",
"groupSlug": "github-actions-all-major-minor-patch",
"schedule": [
"before 3am"
],
"matchManagers": [
"github-actions"
],
"pinDigests": true
}
],
"customManagers": [
{
"customType": "regex",
"managerFilePatterns": [
"/^docker-compose\\.yml$/"
],
"matchStrings": [
"IMAGE:\\s*\"?\\${(?:.*):-(?<depName>.*?):(?<currentValue>.*?)(?:\\@sha256:.*)?}\"?"
],
"datasourceTemplate": "docker",
"versioningTemplate": "docker"
"matchPackageNames": ["*"],
"groupName": "all dependencies",
"groupSlug": "all"
}
]
}
Loading