From 7f4d31e11a99d956c864cd9638ef9f92cb56d84b Mon Sep 17 00:00:00 2001 From: glokos Date: Fri, 3 Jul 2026 15:58:17 +0200 Subject: [PATCH] =?UTF-8?q?chore:=20migrate=20github-actions=20updates=20f?= =?UTF-8?q?rom=20dependabot=20to=20renovate=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/dependabot.yml | 6 ------ .github/renovate.json5 | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 6 deletions(-) delete mode 100644 .github/dependabot.yml create mode 100644 .github/renovate.json5 diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 3a626c3a7..000000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,6 +0,0 @@ -version: 2 -updates: - - package-ecosystem: github-actions - directory: / - schedule: - interval: monthly diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 000000000..3013ea04c --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,32 @@ +// This file follows JSON5 syntax, to make it +// easier to maintain. +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + // Disable every built-in manager (npm, dockerfile, ...) except github-actions. + enabledManagers: ["github-actions"], + // PR titles use Conventional Commits: `deps(): ...` + semanticCommits: "enabled", + semanticCommitType: "deps", + packageRules: [ + // GitHub Actions updates: run weekly, skip releases newer than 2 weeks + // to avoid picking up freshly published versions that may be unstable or + // compromised, and pin to full commit SHAs (with the version as a + // trailing comment) rather than mutable tags. + // When both major and minor releases exist, propose only the latest bump + // (typically major) instead of a separate minor PR. + { + matchManagers: ["github-actions"], + schedule: ["on monday"], + minimumReleaseAge: "14 days", + // Track upgrades by semver tag, but pin the resolved version to its full + // commit SHA (semver tag kept as a trailing comment). Use the coerced + // variant so short tags like `v3` / `v1.7` (which several actions only + // publish) still parse instead of silently stopping updates. + versioning: "semver-coerced", + pinDigests: true, + separateMajorMinor: false, + semanticCommitScope: "{{depName}}", + commitMessageTopic: "{{depName}}", + }, + ], +}