Skip to content

chore: add Renovate for frontend and backend dependency updates#34

Merged
lewisjared merged 3 commits into
mainfrom
chore/add-renovate
Jul 1, 2026
Merged

chore: add Renovate for frontend and backend dependency updates#34
lewisjared merged 3 commits into
mainfrom
chore/add-renovate

Conversation

@lewisjared

@lewisjared lewisjared commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds Renovate to keep both the frontend (npm) and backend (uv / pep621) dependencies up to date, wired into GitHub's Dependabot/Advisory vulnerability alerts, with a 3-day release-age standdown as a supply-chain safeguard.

What's included

  • renovate.json
    • Manages both npm (frontend, package-lock.json) and pep621 (backend, uv.lock) — Renovate updates both lockfiles natively.
    • minimumReleaseAge: "3 days" applied globally so it covers both npm and uv, with internalChecksFilter: "strict" so PRs are held back until a release is 3 days old rather than opened immediately. This is the standdown against freshly-published malicious/compromised releases.
    • vulnerabilityAlerts reads GitHub's Dependabot alerts, plus osvVulnerabilityAlerts for OSV coverage.
    • Non-major updates grouped per ecosystem (frontend non-major / backend non-major) to reduce noise; majors stay separate. Weekly lockFileMaintenance, labels, and a dependency dashboard.
  • .github/workflows/ci.yml — extends the check-changelog guard to also skip renovate[bot] (it already skips dependabot[bot]). Without this, every Renovate PR would fail CI on the missing-changelog gate.

Follow-up required (repo settings, not in this PR)

  • Install/enable the Renovate GitHub App on the repo — it won't act until onboarded.
  • Enable Dependency graph + Dependabot alerts under repo Settings so vulnerabilityAlerts has a data source.

Note on the standdown vs. security fixes

The 3-day standdown currently also applies to vulnerability-alert PRs (conservative, supply-chain-first). If you'd prefer security fixes to bypass the wait, set minimumReleaseAge: "0" inside the vulnerabilityAlerts block.

Summary by CodeRabbit

  • New Features
    • Added automated dependency update management, including grouped non-major updates and a dashboard for tracking pending updates.
    • Enabled vulnerability alerts with a short release-age safeguard before updates are released.
  • Chores
    • Updated CI checks so automated dependency update pull requests no longer trigger changelog validation unnecessarily.

Configure Renovate to keep the npm frontend and uv/pep621 backend
dependencies up to date. Enables GitHub vulnerability alerts (Dependabot
alerts) and OSV alerts, and enforces a 3-day minimum release age across
both ecosystems as a supply-chain safeguard. Extends the CI changelog
guard to skip renovate[bot] as it already does for dependabot[bot].
@netlify

netlify Bot commented Jul 1, 2026

Copy link
Copy Markdown

Deploy Preview for climate-ref canceled.

Name Link
🔨 Latest commit fbd02c0
🔍 Latest deploy log https://app.netlify.com/projects/climate-ref/deploys/6a45194bc576a8000851fd5f

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a renovate.json configuration enabling automated dependency updates with scheduling, vulnerability alerting, and package grouping rules. Updates CI to skip the changelog check for renovate[bot] in addition to dependabot[bot], and adds a trivial changelog entry documenting the change.

Changes

Renovate configuration and CI exclusion

Layer / File(s) Summary
Renovate config and CI check exclusion
renovate.json, .github/workflows/ci.yml, changelog/34.trivial.md
New renovate.json sets presets, dashboard/labels, timezone, minimum release age with strict internal checks filter, PR rate limits, scheduled lockfile maintenance, vulnerability/OSV alerts, and frontend/backend package grouping rules; ci.yml's check-changelog job condition now also excludes renovate[bot]; changelog entry documents the Renovate addition.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding Renovate support for frontend and backend dependency updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/add-renovate

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
renovate.json (1)

3-7: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Redundant preset.

config:recommended already enables the Dependency Dashboard by default, so explicitly extending :dependencyDashboard is redundant (harmless, just unnecessary).


ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3b3dfda4-d646-4af3-aba1-466790f0602d

📥 Commits

Reviewing files that changed from the base of the PR and between 13c5f91 and fbd02c0.

📒 Files selected for processing (3)
  • .github/workflows/ci.yml
  • changelog/34.trivial.md
  • renovate.json

@lewisjared lewisjared merged commit da0ffeb into main Jul 1, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant