Reverse Renovate's grouping policy — per-dep PRs, not grouped #127

Closed
opened 2026-06-19 12:54:40 +00:00 by james · 0 comments
Owner

Reverses the "Grouped PRs" decision from ADR-0009 §3. The grouping was originally chosen to keep the typical week's PR volume to a handful, but in practice the upgrades inside a single grouped PR want to be tested and merged independently: a patch to one prod dep doesn't share a test surface with a patch to another, and bundling them just means a green CI run on the bundle while no individual upgrade is being judged on its own merits.

Going forward, each dep upgrade gets its own PR. Auto-merge stays in effect for the lockfile-only patch/minor cases (per-PR CI gates them individually); majors / actions / Dockerfile base-image bumps still require human review, also per-PR.

Scope

  • Remove every groupName from renovate.json's packageRules.
  • Update descriptions on each rule so the rationale doesn't reference grouping.
  • Update docs/ci.md "Dependency updates (Renovate)" → "Policy" section: drop the "Grouped PRs" enumeration; replace with a "Per-dep PRs" note explaining each dep upgrade is its own PR.
  • Write a small ADR (next free number) that supersedes the grouping aspect of ADR-0009. ADR-0009's other decisions (quarantine, lockfile-only, auto-merge boundary) stay intact. Add a "Superseded in part" note to ADR-0009's index entry.
  • Confirm automerge: true still attaches to the patch/minor lockfile-only paths — the user-facing change is "individual PRs" not "no more auto-merge".

Acceptance criteria

  • renovate.json contains no groupName fields.
  • npx --yes --package=renovate@latest -- renovate-config-validator passes.
  • docs/ci.md "Policy" section reflects the new per-dep shape.
  • A new ADR captures the reversal; ADR-0009's index entry notes the partial-supersession so a reader landing on it knows the grouping prose is historical.
  • Renovate's next scheduled run produces one PR per dep, not one PR per group.

Out of scope

Changing quarantine, lockfile-only default, or the auto-merge boundary. Those decisions from ADR-0009 stay as-is.

Reverses the "Grouped PRs" decision from [ADR-0009] §3. The grouping was originally chosen to keep the typical week's PR volume to a handful, but in practice the upgrades inside a single grouped PR want to be tested and merged independently: a patch to one prod dep doesn't share a test surface with a patch to another, and bundling them just means a green CI run on the bundle while no individual upgrade is being judged on its own merits. Going forward, each dep upgrade gets its own PR. Auto-merge stays in effect for the lockfile-only patch/minor cases (per-PR CI gates them individually); majors / actions / Dockerfile base-image bumps still require human review, also per-PR. [ADR-0009]: docs/adr/0009-renovate-supply-chain-hardening.md ## Scope - Remove every `groupName` from `renovate.json`'s `packageRules`. - Update descriptions on each rule so the rationale doesn't reference grouping. - Update `docs/ci.md` "Dependency updates (Renovate)" → "Policy" section: drop the "Grouped PRs" enumeration; replace with a "Per-dep PRs" note explaining each dep upgrade is its own PR. - Write a small ADR (next free number) that supersedes the grouping aspect of ADR-0009. ADR-0009's other decisions (quarantine, lockfile-only, auto-merge boundary) stay intact. Add a "Superseded in part" note to ADR-0009's index entry. - Confirm `automerge: true` still attaches to the patch/minor lockfile-only paths — the user-facing change is "individual PRs" not "no more auto-merge". ## Acceptance criteria - `renovate.json` contains no `groupName` fields. - `npx --yes --package=renovate@latest -- renovate-config-validator` passes. - `docs/ci.md` "Policy" section reflects the new per-dep shape. - A new ADR captures the reversal; ADR-0009's index entry notes the partial-supersession so a reader landing on it knows the grouping prose is historical. - Renovate's next scheduled run produces one PR per dep, not one PR per group. ## Out of scope Changing quarantine, lockfile-only default, or the auto-merge boundary. Those decisions from ADR-0009 stay as-is.
james closed this issue 2026-06-19 13:36:33 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#127
No description provided.