Skip to content

chore: set up Renovate for dependency updates [MEC-3447]#2720

Merged
Tyler (tylerwashington888) merged 2 commits into
masterfrom
renovate-rollout/dependabot-to-renovate
Jul 8, 2026
Merged

chore: set up Renovate for dependency updates [MEC-3447]#2720
Tyler (tylerwashington888) merged 2 commits into
masterfrom
renovate-rollout/dependabot-to-renovate

Conversation

@contentful-renovate-rollout

Copy link
Copy Markdown
Contributor

Sets up Renovate as the dependency-update tool for this repository, part of an org-wide rollout.

Depending on this repo's starting state, this PR does some of the following:

  • adds a repo-local renovate.json extending the Contentful shared preset
  • for repos that used Dependabot: ports repo-specific behavior (PR limits, ignores, grouping) into local packageRules where still needed, and removes Dependabot-only automation and secret policies
  • updates docs that referenced Dependabot

Manual follow-up (not handled by this PR):

  • close stale Dependabot PRs and branches once Renovate is active (for repos that used Dependabot)

Migration Confidence: 🟡 Medium

Summary

Migrated from Dependabot to Renovate: added a repo-root renovate.json extending local>contentful/renovate-config (correct preset for this non-Nx repo), deleted .github/dependabot.yml and the dependabot-approve-and-request-merge.yaml workflow, and removed the now-unused 'dependabot' vault secret policy without inventing a Renovate replacement. Beyond the mechanical removal/replacement, I added packageRules in renovate.json to group minor/patch updates by dependencies vs devDependencies, mirroring the production-dependencies/dev-dependencies grouping that existed in the old dependabot.yml — but I did not carry over dependabot's other behaviors (the husky/fast-copy/eslint-plugin-promise version ignores and the 15-day cooldown), since those aren't standard Renovate packageRules concepts and weren't explicitly requested. This partial-replication choice (keep grouping, drop ignores/cooldown) is a judgment call a different engineer might have made differently — either fully replicating old behavior or relying solely on the shared preset with no extra packageRules.

Files requiring attention

The following files had edge cases or required judgment during migration and should be reviewed carefully:

  • renovate.json

Comment thread .github/dependabot.yml
Comment thread renovate.json
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["minor", "patch"],
"groupName": "dev dependencies"
}

@michaelphamcf Michael Pham (michaelphamcf) Jul 7, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Open to your thoughts, since I was on the fence about what to do with husky and fast-copy that was in the dependabot configs. The configs for that has it pinning the major version at 4 for husky and 2 for fast-copy which is stale since they're already past those:
https://github.com/contentful/contentful.js/blob/master/package.json#L114
https://github.com/contentful/contentful.js/blob/master/package.json#L115

For similar PRs, I've capped them to their current major versions. My only reason is if renovate bumps to a different major version and auto-merges, things might start breaking.

Or maybe we should allow it to reach that point (if it happens) so we know to fix it? What do you think?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Mike, totally on the fence here too honestly. My initial thought was since config:recommended doesn't auto-merge majors we'd still get a PR to review when husky 10 or fast-copy 4 drops — but I could be wrong about how the shared preset is configured. Your approach of capping at current major seems safer if there's any chance of auto-merge behavior. What's been your experience with it on the other PRs you've done?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm reading this correctly, there's some more configs that might override that and would auto-merge majors minus the packageRules at the bottom: https://github.com/contentful/renovate-config/blob/main/default.json.

FWIW, these 2 deps were capped in dependabot at lower versions than what they're currently at. I think this might be a good test to see if not setting any cap for them would be okay.

@tylerwashington888
Tyler (tylerwashington888) force-pushed the renovate-rollout/dependabot-to-renovate branch from 3fa09ac to 155e1fe Compare July 8, 2026 14:58
@tylerwashington888
Tyler (tylerwashington888) enabled auto-merge (squash) July 8, 2026 14:58
@tylerwashington888
Tyler (tylerwashington888) merged commit b8564f6 into master Jul 8, 2026
23 checks passed
@tylerwashington888
Tyler (tylerwashington888) deleted the renovate-rollout/dependabot-to-renovate branch July 8, 2026 15:00
@contentful-automation

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 11.12.7 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants