fix(ci): disable Renovate grouping; one PR per dep (#127) #130

Merged
james merged 1 commit from 126-renovate-no-grouping into main 2026-06-19 13:36:33 +00:00
Owner

Closes #127.

(Branch is 126-renovate-no-grouping — Forgejo's API was 503ing when I started, so I pre-numbered the branch under what turned out to be a different free index. The commit and PR reference #127 correctly.)

What changes

File Change
renovate.json Drop groupName from every packageRules entry; rewrite each rule's description so it explains "one PR per dep" instead of which group it belongs to.
docs/ci.md Rewrite the "Policy" section's enumerated "Grouped PRs" item as a "Per-dep PRs" paragraph pointing at ADR-0020. "Adding a new manager" rewritten to drop the "or grouping" wording and to set per-dep-PRs as the convention.
docs/adr/0020-renovate-per-dep-prs.md New ADR. Marked as superseding ADR-0009 §3 only — the other three ADR-0009 guarantees (quarantine, lockfile-only, auto-merge boundary) remain authoritative. Captures the two real problems with grouping (CI-on-bundle hides per-upgrade signal; bad upgrade drags the bundle's reverts), the rejected alternatives (asymmetric dev-only grouping, major-version-boundary grouping), and the accepted negative (PR volume may rise if many releases survive the quarantine in a single week).
docs/adr/README.md ADR-0009's index entry annotated with "§3 superseded by ADR-0020"; new ADR-0020 index entry.

What does NOT change

  • 7-day quarantine — still in effect.
  • rangeStrategy: "update-lockfile" default — still in effect.
  • Auto-merge only for lockfile-only patch/minor — still in effect. The user-facing change is "individual PRs instead of bundled," not "no more auto-merge".
  • needs-human-review label on majors / actions / Dockerfile digest bumps — still in effect.

Test plan

  • python3 -c 'import json; json.load(open("renovate.json"))' — clean.
  • npx --yes --package=renovate@latest -- renovate-config-validatorConfig validated successfully against 1 file(s).
  • grep -c groupName renovate.json0.
  • Renovate's next scheduled run produces one PR per dep, not one PR per group.

ADR housekeeping

This is a real decision reversal, not just an implementation tweak, so it gets its own ADR per the ADR-0001 immutability rule. ADR-0009 is left intact textually and its index entry now flags §3 as superseded — anyone reading ADR-0009 sees the historical reasoning, then is pointed at ADR-0020 for the current policy.

Closes #127. (Branch is `126-renovate-no-grouping` — Forgejo's API was 503ing when I started, so I pre-numbered the branch under what turned out to be a different free index. The commit and PR reference #127 correctly.) ## What changes | File | Change | |---|---| | `renovate.json` | Drop `groupName` from every `packageRules` entry; rewrite each rule's `description` so it explains "one PR per dep" instead of which group it belongs to. | | `docs/ci.md` | Rewrite the "Policy" section's enumerated "Grouped PRs" item as a "Per-dep PRs" paragraph pointing at ADR-0020. "Adding a new manager" rewritten to drop the "or grouping" wording and to set per-dep-PRs as the convention. | | `docs/adr/0020-renovate-per-dep-prs.md` | New ADR. Marked as superseding ADR-0009 §3 only — the other three ADR-0009 guarantees (quarantine, lockfile-only, auto-merge boundary) remain authoritative. Captures the two real problems with grouping (CI-on-bundle hides per-upgrade signal; bad upgrade drags the bundle's reverts), the rejected alternatives (asymmetric dev-only grouping, major-version-boundary grouping), and the accepted negative (PR volume may rise if many releases survive the quarantine in a single week). | | `docs/adr/README.md` | ADR-0009's index entry annotated with "§3 superseded by ADR-0020"; new ADR-0020 index entry. | ## What does NOT change - 7-day quarantine — still in effect. - `rangeStrategy: "update-lockfile"` default — still in effect. - Auto-merge only for lockfile-only patch/minor — still in effect. The user-facing change is "individual PRs instead of bundled," not "no more auto-merge". - `needs-human-review` label on majors / actions / Dockerfile digest bumps — still in effect. ## Test plan - [x] `python3 -c 'import json; json.load(open("renovate.json"))'` — clean. - [x] `npx --yes --package=renovate@latest -- renovate-config-validator` — `Config validated successfully against 1 file(s)`. - [x] `grep -c groupName renovate.json` → `0`. - [ ] Renovate's next scheduled run produces one PR per dep, not one PR per group. ## ADR housekeeping This is a real decision reversal, not just an implementation tweak, so it gets its own ADR per the ADR-0001 immutability rule. ADR-0009 is left intact textually and its index entry now flags §3 as superseded — anyone reading ADR-0009 sees the historical reasoning, then is pointed at ADR-0020 for the current policy.
fix(ci): disable Renovate grouping; one PR per dep (#127)
All checks were successful
Commits / Conventional Commits (pull_request) Successful in 9s
PR / OSV-Scanner (pull_request) Successful in 51s
PR / Static analysis (pull_request) Successful in 55s
PR / Lint (pull_request) Successful in 58s
PR / Typecheck (pull_request) Successful in 1m1s
PR / npm audit (pull_request) Successful in 1m9s
Secrets / gitleaks (pull_request) Successful in 22s
PR / Test (sqlite) (pull_request) Successful in 1m23s
PR / Build (pull_request) Successful in 1m31s
PR / Coverage (soft) (pull_request) Successful in 1m17s
PR / Test (postgres) (pull_request) Successful in 1m29s
PR / Trivy (image) (pull_request) Successful in 1m30s
93d98b298a
The grouped-PRs policy from ADR-0009 §3 was reasonable when proposed
(bound weekly PR volume to a handful) but in practice the upgrades
inside a single grouped PR want independent CI judgement and
independent revert paths. A green CI on a bundle is much weaker
signal than a green CI on a single dep upgrade, and a bad upgrade in
a bundle drags the four good ones down with it on revert.

Remove `groupName` from every packageRule in renovate.json. Each dep
upgrade becomes its own PR. The other three ADR-0009 guarantees —
quarantine, lockfile-only, auto-merge boundary — stay unchanged:
patch/minor lockfile-only for npm production + dev deps still
auto-merges after CI; majors / action SHA bumps / Dockerfile digest
bumps still gate on the needs-human-review label.

ADR-0020 captures the reversal, marked as superseding ADR-0009 §3.
The other ADR-0009 sections (quarantine, lockfile-only,
auto-merge boundary) remain authoritative. ADR-0009's index entry
notes the partial supersession so future readers don't act on the
stale "Grouped PRs" prose.

docs/ci.md "Policy" section rewritten to replace the grouped
enumeration with a "Per-dep PRs" paragraph pointing at ADR-0020.

Verified: `renovate-config-validator` from renovate@latest passes.

Closes #127.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

📊 Test coverage

Patch coverage: no testable lines changed.

Overall (app/, lib/, db/, excluding UI per ADR-0019):

Metric Value Soft target
Lines 84.0% ≥ 50%
Branches 82.6% ≥ 75%
Functions 90.8% informational

Soft thresholds per ADR-0019. Coverage is informational and does not block merge.

<!-- coverage-comment --> ## 📊 Test coverage **Patch coverage:** no testable lines changed. **Overall** (`app/`, `lib/`, `db/`, excluding UI per ADR-0019): | Metric | Value | Soft target | |---|---|---| | Lines | 84.0% ✅ | ≥ 50% | | Branches | 82.6% ✅ | ≥ 75% | | Functions | 90.8% | informational | Soft thresholds per [ADR-0019](docs/adr/0019-coverage-soft-targets.md). Coverage is informational and does not block merge.
james merged commit 18172283de into main 2026-06-19 13:36:33 +00:00
james deleted branch 126-renovate-no-grouping 2026-06-19 13:36:33 +00:00
Sign in to join this conversation.
No description provided.