Renovate config: grouped PRs, 7-day quarantine, lockfile-only (#44) #60

Merged
james merged 1 commit from 44-renovate into main 2026-06-15 12:38:53 +00:00
Owner

Closes #44.

What lands

  • renovate.json — behavioural configuration for Renovate against this repo.
  • docs/ci.md — new home for repo-level CI policy that isn't obvious from the workflow files. Starts with the Renovate section; hooks for the policy bits added by #46 (--ignore-scripts) will land in the same file.
  • docs/adr/0008-renovate-supply-chain-hardening.md — rationale.
  • CLAUDE.md — pointer to docs/ci.md in the Working in this repo section.

No .forgejo/workflows/renovate.yml is checked in — Renovate is triggered by an instance-wide workflow that lives outside this repo, so this repo only ships behaviour.

The four load-bearing settings

  1. minimumReleaseAge: "7 days" — quarantine. Vulnerability alerts bypass.
  2. rangeStrategy: "update-lockfile" — lockfile-only by default. Major bumps that need a range change get their own opt-in PR with rangeStrategy: "bump", separate group, never auto-merged.
  3. Five packageRules groups: npm production deps, npm dev deps, npm major bumps, forgejo actions, dockerfile base images. Only the first two carry automerge: true.
  4. lockFileMaintenance weekly to catch transitive bumps with no direct-dep trigger.

The github-actions manager is extended via managerFilePatterns to also parse .forgejo/workflows/ — without that, Renovate would silently ignore every action in this repo.

Acceptance criteria

  • renovate.json checked in. Renovate runs on a schedule via the instance-wide workflow (out of repo) and opens grouped PRs per the rules here.
  • Operational verification: hold back a dev dep released within the quarantine window and confirm Renovate defers the PR. Cannot be tested inline in this PR — verified post-merge on the next runner cycle.
  • A PR that changes a package.json range cannot auto-merge. Structural, not procedural: only the lockfile-only update types (patch, minor, digest, pin, pinDigest) inside the two non-major npm groups carry automerge: true. The npm major bumps group sets rangeStrategy: "bump" and automerge: false.
  • Policy documented in docs/ci.md; rationale in ADR-0008.

Composes with

  • #45 (now merged) — Renovate's forgejo actions group keeps the SHA pins fresh; humans review.
  • #16 — once the Dockerfile base image is digest-pinned, Renovate's dockerfile base images group bumps the digest under the same human-review rule.
  • #14 / ADR-0005 — scanners catch disclosed CVEs in deps we already have; this work catches hijacked releases of deps we already trust. Complementary, not overlapping.

Test plan

  • After merge, confirm the instance-wide Renovate runner picks up renovate.json on its next cycle (look for the Dependency Dashboard issue to appear).
  • Confirm the next Renovate PR (whichever group fires first) opens against this repo with the expected group name and labels.
  • If a forgejo actions PR opens before #16 lands, confirm it does not auto-merge.
Closes #44. ## What lands - `renovate.json` — behavioural configuration for Renovate against this repo. - `docs/ci.md` — new home for repo-level CI policy that isn't obvious from the workflow files. Starts with the Renovate section; hooks for the policy bits added by #46 (`--ignore-scripts`) will land in the same file. - `docs/adr/0008-renovate-supply-chain-hardening.md` — rationale. - `CLAUDE.md` — pointer to `docs/ci.md` in the *Working in this repo* section. No `.forgejo/workflows/renovate.yml` is checked in — Renovate is triggered by an instance-wide workflow that lives outside this repo, so this repo only ships behaviour. ## The four load-bearing settings 1. `minimumReleaseAge: "7 days"` — quarantine. Vulnerability alerts bypass. 2. `rangeStrategy: "update-lockfile"` — lockfile-only by default. Major bumps that need a range change get their own opt-in PR with `rangeStrategy: "bump"`, separate group, never auto-merged. 3. Five `packageRules` groups: `npm production deps`, `npm dev deps`, `npm major bumps`, `forgejo actions`, `dockerfile base images`. Only the first two carry `automerge: true`. 4. `lockFileMaintenance` weekly to catch transitive bumps with no direct-dep trigger. The `github-actions` manager is extended via `managerFilePatterns` to also parse `.forgejo/workflows/` — without that, Renovate would silently ignore every action in this repo. ## Acceptance criteria - [x] `renovate.json` checked in. Renovate runs on a schedule via the instance-wide workflow (out of repo) and opens grouped PRs per the rules here. - [ ] *Operational verification:* hold back a dev dep released within the quarantine window and confirm Renovate defers the PR. Cannot be tested inline in this PR — verified post-merge on the next runner cycle. - [x] A PR that changes a `package.json` range cannot auto-merge. Structural, not procedural: only the lockfile-only update types (`patch`, `minor`, `digest`, `pin`, `pinDigest`) inside the two non-major npm groups carry `automerge: true`. The `npm major bumps` group sets `rangeStrategy: "bump"` and `automerge: false`. - [x] Policy documented in `docs/ci.md`; rationale in ADR-0008. ## Composes with - #45 (now merged) — Renovate's `forgejo actions` group keeps the SHA pins fresh; humans review. - #16 — once the Dockerfile base image is digest-pinned, Renovate's `dockerfile base images` group bumps the digest under the same human-review rule. - #14 / ADR-0005 — scanners catch *disclosed* CVEs in deps we already have; this work catches *hijacked* releases of deps we already trust. Complementary, not overlapping. ## Test plan - [ ] After merge, confirm the instance-wide Renovate runner picks up `renovate.json` on its next cycle (look for the *Dependency Dashboard* issue to appear). - [ ] Confirm the next Renovate PR (whichever group fires first) opens against this repo with the expected group name and labels. - [ ] If a `forgejo actions` PR opens before #16 lands, confirm it does not auto-merge.
Renovate config: grouped PRs, 7-day quarantine, lockfile-only (#44)
All checks were successful
PR / OSV-Scanner (pull_request) Successful in 30s
PR / Static analysis (Semgrep) (pull_request) Successful in 40s
PR / npm audit (pull_request) Successful in 44s
PR / Typecheck (pull_request) Successful in 47s
PR / Lint (pull_request) Successful in 47s
PR / Test (sqlite) (pull_request) Successful in 54s
PR / Test (postgres) (pull_request) Successful in 59s
PR / Build (pull_request) Successful in 1m7s
PR / Trivy (image) (pull_request) Successful in 1m15s
1954777e2d
renovate.json sets `rangeStrategy: update-lockfile` as the default,
groups PRs by manager + dep type, quarantines releases for 7 days
(vulnerabilityAlerts bypass), and auto-merges only lockfile-only
patch/minor updates. The github-actions manager is extended to also
parse `.forgejo/workflows/`.

Renovate is triggered by an instance-wide workflow that lives outside
this repo, so no `.forgejo/workflows/renovate.yml` is checked in —
this repo only contributes behavioural configuration.

Policy lives in docs/ci.md (new); rationale in ADR-0008.
james force-pushed 44-renovate from 1954777e2d
All checks were successful
PR / OSV-Scanner (pull_request) Successful in 30s
PR / Static analysis (Semgrep) (pull_request) Successful in 40s
PR / npm audit (pull_request) Successful in 44s
PR / Typecheck (pull_request) Successful in 47s
PR / Lint (pull_request) Successful in 47s
PR / Test (sqlite) (pull_request) Successful in 54s
PR / Test (postgres) (pull_request) Successful in 59s
PR / Build (pull_request) Successful in 1m7s
PR / Trivy (image) (pull_request) Successful in 1m15s
to 6f3663c629
All checks were successful
PR / Typecheck (pull_request) Successful in 36s
PR / npm audit (pull_request) Successful in 39s
PR / Lint (pull_request) Successful in 41s
PR / Static analysis (Semgrep) (pull_request) Successful in 43s
PR / OSV-Scanner (pull_request) Successful in 43s
PR / Test (sqlite) (pull_request) Successful in 49s
PR / Test (postgres) (pull_request) Successful in 54s
PR / Build (pull_request) Successful in 1m8s
PR / Trivy (image) (pull_request) Successful in 1m17s
2026-06-15 12:38:09 +00:00
Compare
james merged commit 1342d4890f into main 2026-06-15 12:38:53 +00:00
Sign in to join this conversation.
No description provided.