Add low-risk tier shared Renovate preset#12
Merged
Conversation
Centralizes automerge rules for low-risk repos into a shared preset so per-repo configs are one-liners. Rules for Go, JS, Docker, Python minor/patch and all GitHub Actions updates. Non-matching rules are harmless -- repos only get automerge for ecosystems they actually use. Part of the Dependency Strategy Unification (PLAT-227). Co-authored-by: Cursor <cursoragent@cursor.com>
sysread
approved these changes
May 29, 2026
sysread
left a comment
sysread
left a comment
There was a problem hiding this comment.
Remember that we probably also need to add an org-level bypass for renovate to be able to merge prs without requiring codeowners approvals.
Contributor
Author
That's one of the last steps. I'm doing it in this order so that we can watch it through a Monday cycle without it automerging, investigate the PRs it created, and then make the call on adding the bypass. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
renovate-config-low-risk.json— a shared preset for low-risk repos that extends the base preset and adds automerge rules for minor/patch updates across Go, JS, Docker, Python, and all GitHub Actions updates.This allows low-risk repo configs to be a one-liner:
{ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["github>trufflesecurity/.github:renovate-config-low-risk"] }Instead of repeating 5
packageRulesentries in every repo.Why
Feedback on the initial low-risk config PRs (e.g. oink#5) noted that the cookie-cutter template includes automerge rules for ecosystems that don't exist in the repo, which is misleading to reviewers. Moving the rules into a shared preset keeps per-repo configs minimal and accurate while maintaining consistent automerge policy across all low-risk repos.
Non-matching rules are functionally harmless — Renovate simply skips them. But centralizing them here means repo maintainers see a preset name, not a wall of ecosystem-specific rules to evaluate.
Context
Part of the Dependency Strategy Unification plan (PLAT-227).
Test plan
renovate-config-validatorpassesMade with Cursor
Note
Low Risk
Config-only change to Renovate automerge policy; no application runtime or security-sensitive code paths are modified.
Overview
Adds
renovate-config-low-risk.json, a shared Renovate preset thatextendsthe org base config (github>trufflesecurity/.github:renovate-config) and centralizes automerge policy for low-risk dependency updates.Repos can adopt a one-liner
extendsongithub>trufflesecurity/.github:renovate-config-low-riskinstead of copying fivepackageRulesblocks. The preset enables automerge for minor/patch/pin/digest on Go, JS, Docker, and Python, and automerges all GitHub Actions updates.Reviewed by Cursor Bugbot for commit a3cec35. Bugbot is set up for automated code reviews on this repo. Configure here.