Renovate config: grouped PRs, 7-day quarantine, lockfile-only (#44) #60
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!60
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "44-renovate"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #44.
What lands
renovate.json— behavioural configuration for Renovate against this repo.docs/ci.md— new home for repo-level CI policy that isn't obvious from the workflow files. Starts with the Renovate section; hooks for the policy bits added by #46 (--ignore-scripts) will land in the same file.docs/adr/0008-renovate-supply-chain-hardening.md— rationale.CLAUDE.md— pointer todocs/ci.mdin the Working in this repo section.No
.forgejo/workflows/renovate.ymlis checked in — Renovate is triggered by an instance-wide workflow that lives outside this repo, so this repo only ships behaviour.The four load-bearing settings
minimumReleaseAge: "7 days"— quarantine. Vulnerability alerts bypass.rangeStrategy: "update-lockfile"— lockfile-only by default. Major bumps that need a range change get their own opt-in PR withrangeStrategy: "bump", separate group, never auto-merged.packageRulesgroups:npm production deps,npm dev deps,npm major bumps,forgejo actions,dockerfile base images. Only the first two carryautomerge: true.lockFileMaintenanceweekly to catch transitive bumps with no direct-dep trigger.The
github-actionsmanager is extended viamanagerFilePatternsto also parse.forgejo/workflows/— without that, Renovate would silently ignore every action in this repo.Acceptance criteria
renovate.jsonchecked in. Renovate runs on a schedule via the instance-wide workflow (out of repo) and opens grouped PRs per the rules here.package.jsonrange cannot auto-merge. Structural, not procedural: only the lockfile-only update types (patch,minor,digest,pin,pinDigest) inside the two non-major npm groups carryautomerge: true. Thenpm major bumpsgroup setsrangeStrategy: "bump"andautomerge: false.docs/ci.md; rationale in ADR-0008.Composes with
forgejo actionsgroup keeps the SHA pins fresh; humans review.dockerfile base imagesgroup bumps the digest under the same human-review rule.Test plan
renovate.jsonon its next cycle (look for the Dependency Dashboard issue to appear).forgejo actionsPR opens before #16 lands, confirm it does not auto-merge.1954777e2d6f3663c629