Switch dependency automation from Dependabot to Renovate#310
Closed
martsokha wants to merge 1 commit into
Closed
Conversation
Dependabot bumps `uv.lock` but has no hook to regenerate downstream artifacts (our per-service `requirements.txt` files). Every Python bump PR therefore failed CI's `gen_requirements.py --check` step and needed a manual follow-up commit. Renovate's `postUpgradeTasks` runs a whitelisted command after each dependency bump and commits the resulting file changes onto the same PR, so branches arrive already green. - `renovate.json`: replaces the three dependabot entries with three Renovate `packageRules` (cargo, pep621, github-actions) keeping the existing group names, commit prefixes, and weekly Monday cadence. `postUpgradeTasks` runs `uv sync --all-packages && uv run python scripts/gen_requirements.py` after each bump and commits any changes to `packages/*/requirements.txt` or `uv.lock`. - `.github/workflows/renovate.yml`: self-hosted runner (hourly cron + manual dispatch) using the `renovatebot/github-action` container. `postUpgradeTasks` requires self-hosted; the free hosted Mend app doesn't run arbitrary commands. Uses a GitHub App token so opened PRs trigger our other workflows (Rs Build / Py Build) — the built-in GITHUB_TOKEN doesn't chain workflow triggers. - `RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS` env var pins the runner to the exact regen command. Anything else in `renovate.json` is silently ignored — the security backstop against a compromised config running arbitrary code. - `.github/dependabot.yml`: deleted. ## Setup step (not code) Before merging: create a GitHub App with `contents: write` and `pull-requests: write` permissions, install it on the repo, and add `RENOVATE_APP_ID` + `RENOVATE_APP_PRIVATE_KEY` as repo secrets. Without these, the workflow will fail at the `Get token` step. Detailed setup: https://github.com/renovatebot/github-action#usage-with-a-github-app
3 tasks
Member
Author
|
Superseded by #319: adds a native GitHub Actions workflow ( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Dependabot bumps
uv.lockbut has no hook to regenerate downstream artifacts (our per-servicerequirements.txtfiles). Every Python bump PR therefore failed CI'sgen_requirements.py --checkstep and needed a manual follow-up commit. Renovate'spostUpgradeTasksruns a whitelisted command after each dependency bump and commits the resulting file changes onto the same PR, so branches arrive already green.Changes
renovate.json: replaces the three dependabot entries with three RenovatepackageRules(cargo, pep621, github-actions) keeping the existing group names, commit prefixes, and weekly Monday cadence.postUpgradeTasksrunsuv sync --all-packages && uv run python scripts/gen_requirements.pyafter each bump and commits any changes topackages/*/requirements.txtoruv.lock..github/workflows/renovate.yml: self-hosted runner (hourly cron + manual dispatch) using therenovatebot/github-actioncontainer.postUpgradeTasksrequires self-hosted; the free hosted Mend app doesn't run arbitrary commands. Uses a GitHub App token so opened PRs trigger our other workflows (Rs Build / Py Build) — the built-inGITHUB_TOKENdoesn't chain workflow triggers.RENOVATE_ALLOWED_POST_UPGRADE_COMMANDSenv var pins the runner to the exact regen command. Anything else inrenovate.jsonis silently ignored — the security backstop against a compromised config running arbitrary code..github/dependabot.yml: deleted.Setup step before merging (not code)
Create a GitHub App with
contents: writeandpull-requests: writepermissions, install it on the repo, and addRENOVATE_APP_ID+RENOVATE_APP_PRIVATE_KEYas repo secrets. Without these, the workflow will fail at theGet tokenstep.Detailed setup: https://github.com/renovatebot/github-action#usage-with-a-github-app
Test plan
renovate.jsonpasses JSON schema validation (Renovate's own linter runs on PR)renovate.ymlworkflow YAML lints cleanlogLevel: debugand verify it opens a dry-run onboarding PRpackages/*/requirements.txtalready regenerated (Rs Build + Py Build green on first attempt, no manual follow-up commit)Rollback plan
If Renovate misbehaves: revert this PR, dependabot config is restored. Any in-flight Renovate PRs can be closed manually.
🤖 Generated with Claude Code