Skip to content

ci: switch from dependabot to renovate#1075

Draft
nielspardon wants to merge 1 commit into
substrait-io:mainfrom
nielspardon:par-renovate
Draft

ci: switch from dependabot to renovate#1075
nielspardon wants to merge 1 commit into
substrait-io:mainfrom
nielspardon:par-renovate

Conversation

@nielspardon

@nielspardon nielspardon commented May 11, 2026

Copy link
Copy Markdown
Member

We are currently using dependabot which has a very limited feature set, for example it can not handle managing a pixi.lock file as demonstrated in https://github.com/substrait-io/substrait/actions/runs/25411815587/job/74535026421?pr=1072

Renovate is also free to use and a much more powerful dependency auto update tool compared to dependabot. It can handle pixi.lock files out of the box among other things like e.g. it could also be used to update Git submodules to tags instead of just the latest commit (https://docs.renovatebot.com/modules/manager/git-submodules/#updating-to-specific-tag-values).

It gives a more flexibility and helps to address the issue with dependabot not handling the pixi.lock file properly.


This change is Reviewable

Signed-off-by: Niels Pardon <par@zurich.ibm.com>
@benbellick

Copy link
Copy Markdown
Member

Thanks @nielspardon. Can we include a description in the PR body for why we should switch from dependabot to renovate? I think it has something to do with how dependabot interacts with pixi but it would be great to have it in writing somewhere so we can reference it in the future if something comes up. Thank you!

@nielspardon

Copy link
Copy Markdown
Member Author

updated the description. let me know if the description looks good for you.

@@ -16,8 +16,11 @@ jobs:
echo 'module.exports = {
// Workaround for https://github.com/dependabot/dependabot-core/issues/5923

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this comment still relevant if we no longer use dependabot?

Comment thread renovate.json

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to validate that this works before merging?

@nielspardon nielspardon May 12, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been testing this on my private fork and I found that the current pixi support for Renovate is only covering the direct Pixi dependencies in [tool.pixi.dependencies] e.g. NodeJS which when it does update the version also updates the pixi.lock file: https://github.com/nielspardon/substrait/pull/5/changes

When it updates one of the dependencies in the dev dependency group in [dependency-groups] it does not update those using the Pixi manager and Renovate thus also not updating the pixi.lock file currently: https://github.com/nielspardon/substrait/pull/7/changes

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I logged a feature request with Renovate to help us fix this gap: renovatebot/renovate#43260

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: Renovate also supports postUpgradeTasks if you are hosting it yourself. When using the hosted one with the Github App it does not allow custom commands for security reasons.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for investigating. Hopefully we can figure out something that will work for our setup.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I opened a PR to fix renovate for pixi lock file updates: renovatebot/renovate#44004

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need dependency groups? in our case, what's the difference between dependencies and a dev dependency group? isn't the whole thing a single dev environment anyway?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we should discuss this in a separate issue. feels unrelated to switching from dependabot to renovate.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, just a possible shortcut 😆 doesn't really matter though if the issue is being addressed in renovate anyway

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue with Renovate is not caused by the dependencies being in a dependency group. We would have the same issue if they were regular Python dependencies in [project.dependencies] in pyproject.toml. The issue is that the pixi support in Renovate today would only update the pixi.lock file when suggesting a dependency update in pixi.toml or in [tool.pixi.dependencies] in pyproject.toml. This is better than dependabot which has no pixi support at all but wouldn't help since we are using pyproject.toml in this repo and no pixi.toml.

The PR I opened in Renovate which got one approval already makes sure the pixi.lock file gets updated when Python dependencies in pyproject.toml (outside of [tool.pixi.dependencies]) get bumped including dependency groups.

Whether we should declare the dependencies as project dependencies or in a dev dependency group is orthogonal in my opinion.

@nielspardon nielspardon marked this pull request as draft May 12, 2026 08:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants