From 21c2f0982a7b429ff36325e9bede7b6ad0a1e979 Mon Sep 17 00:00:00 2001 From: Jared Lewis Date: Wed, 1 Jul 2026 23:32:29 +1000 Subject: [PATCH 1/3] chore: add Renovate for frontend and backend dependency updates Configure Renovate to keep the npm frontend and uv/pep621 backend dependencies up to date. Enables GitHub vulnerability alerts (Dependabot alerts) and OSV alerts, and enforces a 3-day minimum release age across both ecosystems as a supply-chain safeguard. Extends the CI changelog guard to skip renovate[bot] as it already does for dependabot[bot]. --- .github/workflows/ci.yml | 2 +- renovate.json | 48 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 renovate.json diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f85974d..34447f7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ on: jobs: check-changelog: runs-on: ubuntu-latest - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' + if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' steps: - name: Check out repository uses: actions/checkout@v6 diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..987484e --- /dev/null +++ b/renovate.json @@ -0,0 +1,48 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":dependencyDashboard", + ":semanticCommits" + ], + "timezone": "Pacific/Auckland", + "dependencyDashboardTitle": "Renovate Dependency Dashboard", + "labels": ["dependencies"], + "minimumReleaseAge": "3 days", + "internalChecksFilter": "strict", + "prConcurrentLimit": 5, + "prHourlyLimit": 2, + "lockFileMaintenance": { + "enabled": true, + "schedule": ["before 6am on monday"] + }, + "vulnerabilityAlerts": { + "enabled": true, + "labels": ["dependencies", "security"] + }, + "osvVulnerabilityAlerts": true, + "packageRules": [ + { + "description": "Label frontend (npm) updates", + "matchManagers": ["npm"], + "addLabels": ["frontend"] + }, + { + "description": "Label backend (uv / Python) updates", + "matchManagers": ["pep621"], + "addLabels": ["backend"] + }, + { + "description": "Group non-major frontend updates into a single PR", + "matchManagers": ["npm"], + "matchUpdateTypes": ["minor", "patch"], + "groupName": "frontend non-major" + }, + { + "description": "Group non-major backend updates into a single PR", + "matchManagers": ["pep621"], + "matchUpdateTypes": ["minor", "patch"], + "groupName": "backend non-major" + } + ] +} From ab977e53edeafa0b40e3efa66343b49494135656 Mon Sep 17 00:00:00 2001 From: Jared Lewis Date: Wed, 1 Jul 2026 23:33:11 +1000 Subject: [PATCH 2/3] chore: add changelog fragment for Renovate --- changelog/34.trivial.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/34.trivial.md diff --git a/changelog/34.trivial.md b/changelog/34.trivial.md new file mode 100644 index 0000000..c2bbdef --- /dev/null +++ b/changelog/34.trivial.md @@ -0,0 +1 @@ +Added Renovate to automatically keep the frontend and backend dependencies up to date, wired into vulnerability alerts with a 3-day release-age standdown as a supply-chain safeguard. From fbd02c04fab9f7db7df15b03dd78fe4da05fcc5d Mon Sep 17 00:00:00 2001 From: Jared Lewis Date: Wed, 1 Jul 2026 23:42:28 +1000 Subject: [PATCH 3/3] chore: set Renovate timezone to Australia/Melbourne --- renovate.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 987484e..1dbee84 100644 --- a/renovate.json +++ b/renovate.json @@ -5,7 +5,7 @@ ":dependencyDashboard", ":semanticCommits" ], - "timezone": "Pacific/Auckland", + "timezone": "Australia/Melbourne", "dependencyDashboardTitle": "Renovate Dependency Dashboard", "labels": ["dependencies"], "minimumReleaseAge": "3 days",