Skip to content

chore(deps): migrate from dependabot to renovate with cooldown#18

Merged
luckyPipewrench merged 2 commits into
mainfrom
chore/renovate-migration
May 17, 2026
Merged

chore(deps): migrate from dependabot to renovate with cooldown#18
luckyPipewrench merged 2 commits into
mainfrom
chore/renovate-migration

Conversation

@luckyPipewrench
Copy link
Copy Markdown
Owner

@luckyPipewrench luckyPipewrench commented May 17, 2026
edited by coderabbitai Bot
Loading

Replaces .github/dependabot.yml with renovate.json. Adds a 10-day minimum release age before any routine update PR opens, with a vulnerability-alert bypass so CVE fixes fast-track. Enables SHA digest pinning for GitHub Actions.

Groups preserved from dependabot: pip-deps (pip_requirements + pep621 for pyproject.toml), ci-actions (github-actions).

Requires the Mend Renovate GitHub App, already enabled on the org. Supersedes the default-config onboarding PR (#17).

Closes #17.

Summary by CodeRabbit

  • Chores
    • Transitioned dependency management configuration with updated scheduling policies including weekly lockfile maintenance, configurable minimum release ages, stricter internal validation, enhanced security vulnerability alerts with fast-track options, improved concurrency limits, and tailored grouping rules for different dependency types.

Review Change Stack

@luckyPipewrench
chore(deps): migrate from dependabot to renovate with cooldown
fb9879d 
Replaces .github/dependabot.yml with renovate.json. Adds a 10-day
minimum release age before any routine update PR opens, with a
vulnerability-alert bypass so CVE fixes fast-track. Enables SHA digest
pinning for GitHub Actions.

Groups preserved from dependabot: pip-deps (pip_requirements + pep621
for pyproject.toml), ci-actions (github-actions).

Requires the Mend Renovate GitHub App, already enabled on the org.
Supersedes the default-config onboarding PR (#17).
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 17, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ef295e66-ff1c-4c6d-891b-61e4d5c46d92

📥 Commits

Reviewing files that changed from the base of the PR and between ea37211 and 55a96d5.

📒 Files selected for processing (2)
  • .github/dependabot.yml
  • renovate.json
💤 Files with no reviewable changes (1)
  • .github/dependabot.yml
📝 Walkthrough

Walkthrough

Dependabot configuration is removed entirely and replaced with a Renovate configuration that extends the recommended preset with semantic commits, weekly lockfile maintenance, and custom package rules governing Python dependency updates, GitHub Actions digests, vulnerability alerts, and major version automerge behavior.

Changes

Dependency Management Migration to Renovate

Layer / File(s) Summary
Base Renovate Configuration
renovate.json		 Renovate schema header, recommended presets with semantic commits and weekly lockfile maintenance, default 10-day minimum release age, strict internal checks, base dependency labels, and PR concurrency limit.
Vulnerability and Package Update Rules
renovate.json		 Vulnerability alerts configured with fast-track and security labels, immediate release age override, and "at any time" schedule; package rules handle cooldown bypass for org packages, GitHub Actions digest pinning with CI labels and grouping, Python dependency labeling with "deps:" commit prefix, and major version automerge prevention with review tagging.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Farewell, Dependabot's steady hand,
Renovate arrives to take command!
Ten days to ripen, rules so neat,
Python, Actions—updates complete. ✨
From old to new, the config hops,
Dependency magic never stops!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: migrating from Dependabot to Renovate with a cooldown mechanism.
Linked Issues check ✅ Passed The PR implements all core requirements from #17: removes dependabot.yml, adds renovate.json with recommended config, enables semantic commits, implements minimum release age for routine updates with vulnerability-alert bypass, pins GitHub Actions digests, and preserves dependency grouping.
Out of Scope Changes check ✅ Passed All changes are directly related to the Renovate migration objectives; no unrelated modifications to application code or unscoped configuration changes are present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/renovate-migration

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@luckyPipewrench
chore(deps): bypass cooldown for own-org packages
55a96d5 
Adds a packageRule to skip the 10-day minimumReleaseAge for any
package matching luckyPipewrench/ or ghcr.io/luckypipewrench/. Same
pattern as the other repos that reference our own org packages.

Fast-tracks pipelock action and image bumps for dogfood loops.
@luckyPipewrench luckyPipewrench merged commit c1a2d0c into main May 17, 2026
15 checks passed
@luckyPipewrench luckyPipewrench deleted the chore/renovate-migration branch May 17, 2026 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@luckyPipewrench