Skip to content

Switch dependency automation from Dependabot to Renovate#310

Closed
martsokha wants to merge 1 commit into
mainfrom
chore/switch-to-renovate
Closed

Switch dependency automation from Dependabot to Renovate#310
martsokha wants to merge 1 commit into
mainfrom
chore/switch-to-renovate

Conversation

@martsokha

Copy link
Copy Markdown
Member

Summary

Dependabot bumps uv.lock but has no hook to regenerate downstream artifacts (our per-service requirements.txt files). Every Python bump PR therefore failed CI's gen_requirements.py --check step and needed a manual follow-up commit. Renovate's postUpgradeTasks runs a whitelisted command after each dependency bump and commits the resulting file changes onto the same PR, so branches arrive already green.

Changes

  • renovate.json: replaces the three dependabot entries with three Renovate packageRules (cargo, pep621, github-actions) keeping the existing group names, commit prefixes, and weekly Monday cadence. postUpgradeTasks runs uv sync --all-packages && uv run python scripts/gen_requirements.py after each bump and commits any changes to packages/*/requirements.txt or uv.lock.
  • .github/workflows/renovate.yml: self-hosted runner (hourly cron + manual dispatch) using the renovatebot/github-action container. postUpgradeTasks requires self-hosted; the free hosted Mend app doesn't run arbitrary commands. Uses a GitHub App token so opened PRs trigger our other workflows (Rs Build / Py Build) — the built-in GITHUB_TOKEN doesn't chain workflow triggers.
  • RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS env var pins the runner to the exact regen command. Anything else in renovate.json is silently ignored — the security backstop against a compromised config running arbitrary code.
  • .github/dependabot.yml: deleted.

Setup step before merging (not code)

Create a GitHub App with contents: write and pull-requests: write permissions, install it on the repo, and add RENOVATE_APP_ID + RENOVATE_APP_PRIVATE_KEY as repo secrets. Without these, the workflow will fail at the Get token step.

Detailed setup: https://github.com/renovatebot/github-action#usage-with-a-github-app

Test plan

  • renovate.json passes JSON schema validation (Renovate's own linter runs on PR)
  • renovate.yml workflow YAML lints clean
  • After GitHub App is installed + secrets are added: manually dispatch the Renovate workflow with logLevel: debug and verify it opens a dry-run onboarding PR
  • First real dependency bump PR arrives with packages/*/requirements.txt already regenerated (Rs Build + Py Build green on first attempt, no manual follow-up commit)
  • Remove any remaining stale open Dependabot PRs after Renovate PRs land

Rollback plan

If Renovate misbehaves: revert this PR, dependabot config is restored. Any in-flight Renovate PRs can be closed manually.

🤖 Generated with Claude Code

Dependabot bumps `uv.lock` but has no hook to regenerate
downstream artifacts (our per-service `requirements.txt`
files). Every Python bump PR therefore failed CI's
`gen_requirements.py --check` step and needed a manual
follow-up commit. Renovate's `postUpgradeTasks` runs a
whitelisted command after each dependency bump and commits
the resulting file changes onto the same PR, so branches
arrive already green.

- `renovate.json`: replaces the three dependabot entries with
  three Renovate `packageRules` (cargo, pep621, github-actions)
  keeping the existing group names, commit prefixes, and
  weekly Monday cadence. `postUpgradeTasks` runs
  `uv sync --all-packages && uv run python scripts/gen_requirements.py`
  after each bump and commits any changes to
  `packages/*/requirements.txt` or `uv.lock`.
- `.github/workflows/renovate.yml`: self-hosted runner (hourly
  cron + manual dispatch) using the `renovatebot/github-action`
  container. `postUpgradeTasks` requires self-hosted; the free
  hosted Mend app doesn't run arbitrary commands. Uses a
  GitHub App token so opened PRs trigger our other workflows
  (Rs Build / Py Build) — the built-in GITHUB_TOKEN doesn't
  chain workflow triggers.
- `RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS` env var pins the
  runner to the exact regen command. Anything else in
  `renovate.json` is silently ignored — the security backstop
  against a compromised config running arbitrary code.
- `.github/dependabot.yml`: deleted.

## Setup step (not code)

Before merging: create a GitHub App with `contents: write`
and `pull-requests: write` permissions, install it on the
repo, and add `RENOVATE_APP_ID` + `RENOVATE_APP_PRIVATE_KEY`
as repo secrets. Without these, the workflow will fail at the
`Get token` step. Detailed setup:
https://github.com/renovatebot/github-action#usage-with-a-github-app
@martsokha martsokha added the chore maintenance, dependency updates, code cleanup label Jul 3, 2026
@martsokha martsokha self-assigned this Jul 3, 2026
@martsokha

Copy link
Copy Markdown
Member Author

Superseded by #319: adds a native GitHub Actions workflow (Dependabot Regen) that runs scripts/gen_requirements.py and commits back to Dependabot PRs, without switching off native Dependabot.

@martsokha martsokha closed this Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore maintenance, dependency updates, code cleanup

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant