diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f85974d..34447f7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ on: jobs: check-changelog: runs-on: ubuntu-latest - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' + if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' steps: - name: Check out repository uses: actions/checkout@v6 diff --git a/changelog/34.trivial.md b/changelog/34.trivial.md new file mode 100644 index 0000000..c2bbdef --- /dev/null +++ b/changelog/34.trivial.md @@ -0,0 +1 @@ +Added Renovate to automatically keep the frontend and backend dependencies up to date, wired into vulnerability alerts with a 3-day release-age standdown as a supply-chain safeguard. diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..1dbee84 --- /dev/null +++ b/renovate.json @@ -0,0 +1,48 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":dependencyDashboard", + ":semanticCommits" + ], + "timezone": "Australia/Melbourne", + "dependencyDashboardTitle": "Renovate Dependency Dashboard", + "labels": ["dependencies"], + "minimumReleaseAge": "3 days", + "internalChecksFilter": "strict", + "prConcurrentLimit": 5, + "prHourlyLimit": 2, + "lockFileMaintenance": { + "enabled": true, + "schedule": ["before 6am on monday"] + }, + "vulnerabilityAlerts": { + "enabled": true, + "labels": ["dependencies", "security"] + }, + "osvVulnerabilityAlerts": true, + "packageRules": [ + { + "description": "Label frontend (npm) updates", + "matchManagers": ["npm"], + "addLabels": ["frontend"] + }, + { + "description": "Label backend (uv / Python) updates", + "matchManagers": ["pep621"], + "addLabels": ["backend"] + }, + { + "description": "Group non-major frontend updates into a single PR", + "matchManagers": ["npm"], + "matchUpdateTypes": ["minor", "patch"], + "groupName": "frontend non-major" + }, + { + "description": "Group non-major backend updates into a single PR", + "matchManagers": ["pep621"], + "matchUpdateTypes": ["minor", "patch"], + "groupName": "backend non-major" + } + ] +}