Skip to content

Configure Renovate #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 24, 2025
Merged

Configure Renovate #239

merged 4 commits into from
Oct 24, 2025
+26 −0

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 29, 2025
edited
Loading

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

Detected Package Files

  • docs/Gemfile (bundler)
  • .github/workflows/Comment-on-PR.yml (github-actions)
  • .github/workflows/Notify-Convention-Change.yml (github-actions)
  • .github/workflows/PR.yml (github-actions)
  • .github/workflows/Publish-Package.yml (github-actions)
  • .github/workflows/Update-Poetry-Lock.yml (github-actions)
  • pyproject.toml (poetry)
  • .github/renovate.json (renovate-config-presets)

Configuration Summary

Based on the default config's presets, Renovate will:

  • Start dependency updates only once this onboarding PR is merged
  • Hopefully safe environment variables to allow users to configure.
  • Show all Merge Confidence badges for pull requests.
  • Enable Renovate Dependency Dashboard creation.
  • Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
  • Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
  • Group known monorepo packages together.
  • Use curated list of recommended non-monorepo package groupings.
  • Show only the Age and Confidence Merge Confidence badges for pull requests.
  • Apply crowd-sourced package replacement rules.
  • Apply crowd-sourced workarounds for known problems with packages.
  • Raise PR when vulnerability alerts are detected.
  • Raise PR when vulnerability alerts are detected (including OSV alerts).
  • Convert pinned GitHub Action digests to SemVer.
  • Run lock file maintenance (updates) on the first day of each month.
  • Rebase existing PRs any time the base branch has been updated.

🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to renovate.json in this branch. Renovate will update the Pull Request description the next time it runs.

What to Expect

With your current configuration, Renovate will create 7 Pull Requests:

chore(deps): update ruby packages
  • Schedule: ["* 0-3 * * 1"]
  • Branch name: users/renovate/ruby
  • Merge into: main
  • Upgrade tzinfo to 1.2.11
  • Upgrade tzinfo-data to 1.2025.2
  • Upgrade wdm to "~> 0.2.0"
fix(deps): update python packages
chore(deps): update github actions
chore(deps): update github actions (major)
chore(deps): update python packages (major)
  • Schedule: ["* 0-3 * * 1"]
  • Branch name: users/renovate/major-python
  • Merge into: main
  • Upgrade black to 25.9.0
  • Upgrade isort to 6.1.0
  • Upgrade pytest to 8.4.2
chore(deps): update ruby packages (major)
  • Schedule: ["* 0-3 * * 1"]
  • Branch name: users/renovate/major-ruby
  • Merge into: main
  • Upgrade github-pages to "~> 232"
  • Upgrade tzinfo to "~> 2.0"
chore(deps): lock file maintenance
  • Schedule: ["* 0-3 1 * *"]
  • Branch name: users/renovate/lock-file-maintenance
  • Merge into: main
  • Regenerate lock files to use latest dependency versions

🚸 Branch creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or overwhelm the project. See docs for prhourlylimit for details.

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested review from irwand and neilvana as code owners September 29, 2025 20:19
@github-actions
Copy link
Contributor

github-actions bot commented Sep 29, 2025

Thank you for contributing! 👋

@mshafer-NI
Copy link
Collaborator

mshafer-NI commented Sep 29, 2025

Note that immediately switching from the default config to NI's config for Python packages means that we will NOT get the "what to expect", and instead can expect only Python packages updated for now, as specified here

@bkeryan
Copy link
Contributor

bkeryan commented Sep 29, 2025
edited
Loading

Note that immediately switching from the default config to NI's config for Python packages means that we will NOT get the "what to expect", and instead can expect only Python packages updated for now, as specified here

That's not correct. ni/python-renovate-config doesn't limit the datasources or managers, so you will still get Ruby bundler updates. They will not be grouped or scheduled, so there will be a separate PR for each Ruby gem.

Consider doing something like this (untested):

{
    "packageRules": [
        {
            "description": "Update Ruby packages early Monday mornings.",
            "matchCategories": [
                "ruby"
            ],
            "matchUpdateTypes": [
                "major",
                "minor",
                "patch",
                "rollback",
                "replacement"
            ],
            "groupName": "Ruby packages",
            "groupSlug": "ruby",
            "extends": [
                "schedule:weekly"
            ]
        }
    ]
}

@bkeryan
Copy link
Contributor

bkeryan commented Sep 30, 2025
edited
Loading

Note that immediately switching from the default config to NI's config for Python packages means that we will NOT get the "what to expect", and instead can expect only Python packages updated for now, as specified here

That's not correct. ni/python-renovate-config doesn't limit the datasources or managers, so you will still get Ruby bundler updates. They will not be grouped or scheduled, so there will be a separate PR for each Ruby gem.

PR for this: #240

@bkeryan
Copy link
Contributor

bkeryan commented Sep 30, 2025

@mshafer-NI @irwand @neilvana BTW, you should also update the repo's "Advanced Security" settings:

  • Make sure "Dependency Graph" is enabled.
  • Make sure "Dependabot alerts" is enabled.
  • Make sure other Dependabot features are disabled

@mshafer-NI mshafer-NI merged commit 4af4f90 into main Oct 24, 2025
@mshafer-NI mshafer-NI deleted the renovate/configure branch October 24, 2025 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@neilvana neilvana neilvana approved these changes

@mshafer-NI mshafer-NI mshafer-NI approved these changes

@irwand irwand Awaiting requested review from irwand irwand is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mshafer-NI @bkeryan @neilvana