chore: set up Renovate for dependency updates [MEC-3447]#2720
Conversation
| "matchDepTypes": ["devDependencies"], | ||
| "matchUpdateTypes": ["minor", "patch"], | ||
| "groupName": "dev dependencies" | ||
| } |
There was a problem hiding this comment.
Open to your thoughts, since I was on the fence about what to do with husky and fast-copy that was in the dependabot configs. The configs for that has it pinning the major version at 4 for husky and 2 for fast-copy which is stale since they're already past those:
https://github.com/contentful/contentful.js/blob/master/package.json#L114
https://github.com/contentful/contentful.js/blob/master/package.json#L115
For similar PRs, I've capped them to their current major versions. My only reason is if renovate bumps to a different major version and auto-merges, things might start breaking.
Or maybe we should allow it to reach that point (if it happens) so we know to fix it? What do you think?
There was a problem hiding this comment.
Hey Mike, totally on the fence here too honestly. My initial thought was since config:recommended doesn't auto-merge majors we'd still get a PR to review when husky 10 or fast-copy 4 drops — but I could be wrong about how the shared preset is configured. Your approach of capping at current major seems safer if there's any chance of auto-merge behavior. What's been your experience with it on the other PRs you've done?
There was a problem hiding this comment.
If I'm reading this correctly, there's some more configs that might override that and would auto-merge majors minus the packageRules at the bottom: https://github.com/contentful/renovate-config/blob/main/default.json.
FWIW, these 2 deps were capped in dependabot at lower versions than what they're currently at. I think this might be a good test to see if not setting any cap for them would be okay.
3fa09ac to
155e1fe
Compare
|
🎉 This PR is included in version 11.12.7 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sets up Renovate as the dependency-update tool for this repository, part of an org-wide rollout.
Depending on this repo's starting state, this PR does some of the following:
renovate.jsonextending the Contentful shared presetpackageRuleswhere still needed, and removes Dependabot-only automation and secret policiesManual follow-up (not handled by this PR):
Migration Confidence: 🟡 Medium
Summary
Migrated from Dependabot to Renovate: added a repo-root renovate.json extending local>contentful/renovate-config (correct preset for this non-Nx repo), deleted .github/dependabot.yml and the dependabot-approve-and-request-merge.yaml workflow, and removed the now-unused 'dependabot' vault secret policy without inventing a Renovate replacement. Beyond the mechanical removal/replacement, I added packageRules in renovate.json to group minor/patch updates by dependencies vs devDependencies, mirroring the production-dependencies/dev-dependencies grouping that existed in the old dependabot.yml — but I did not carry over dependabot's other behaviors (the husky/fast-copy/eslint-plugin-promise version ignores and the 15-day cooldown), since those aren't standard Renovate packageRules concepts and weren't explicitly requested. This partial-replication choice (keep grouping, drop ignores/cooldown) is a judgment call a different engineer might have made differently — either fully replicating old behavior or relying solely on the shared preset with no extra packageRules.
Files requiring attention
The following files had edge cases or required judgment during migration and should be reviewed carefully:
renovate.json