From a7037584dc06228c4929ed37afd58e35cb0532f5 Mon Sep 17 00:00:00 2001 From: Sall Date: Sun, 21 Jun 2026 05:27:17 +0100 Subject: [PATCH 1/8] docs(deps): propose hybrid dependency management --- decisions/0004-dependabot-unification.md | 2 +- .../0012-hybrid-dependency-management.md | 113 ++++++++++++++++++ 2 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 decisions/0012-hybrid-dependency-management.md diff --git a/decisions/0004-dependabot-unification.md b/decisions/0004-dependabot-unification.md index 31dec625f..86733e610 100644 --- a/decisions/0004-dependabot-unification.md +++ b/decisions/0004-dependabot-unification.md @@ -4,7 +4,7 @@ - **Date:** 2026-05-20 - **Deciders:** ss-o, Gemini CLI - **Supersedes:** None -- **Superseded by:** None +- **Superseded by:** Proposed: `decisions/0012-hybrid-dependency-management.md` ## Context diff --git a/decisions/0012-hybrid-dependency-management.md b/decisions/0012-hybrid-dependency-management.md new file mode 100644 index 000000000..08460ffc5 --- /dev/null +++ b/decisions/0012-hybrid-dependency-management.md @@ -0,0 +1,113 @@ +# 12. Split Dependency Updates Between Renovate and Dependabot + +- **Status:** PROPOSED +- **Date:** 2026-06-21 +- **Deciders:** None until accepted +- **Supersedes:** `decisions/0004-dependabot-unification.md` +- **Superseded by:** None + +## Context + +ADR 0004 standardized dependency management on Dependabot to remove a mixed, +inconsistent setup. The decision simplified administration, but routine version +updates still require a separate `.github/dependabot.yml` in every repository. +Those files have drifted across the organization in enabled ecosystems, +schedules, grouping, and target branches. + +Z-Shell has more than 90 repositories spanning GitHub Actions, npm, Docker, Go, +Zsh plugins, documentation, and dependency references embedded in files that +native package managers do not always cover. The organization needs both: + +- GitHub-native vulnerability detection and remediation; and +- centrally governed, flexible routine version maintenance. + +Running Renovate and Dependabot for the same routine updates would recreate the +original fragmentation and add duplicate pull requests, lock-file conflicts, +and unnecessary CI usage. + +## Decision + +Adopt a hybrid model with non-overlapping ownership: + +1. **GitHub Dependabot owns security:** + - dependency graph; + - Dependabot alerts; + - Dependabot security update pull requests. +2. **Renovate owns routine version updates:** + - GitHub Actions; + - package-manager dependencies and lock files; + - Docker images; + - Go modules; + - explicitly configured custom dependency references. +3. **No overlapping routine updates:** a repository covered by Renovate must + not retain a `.github/dependabot.yml` that creates routine version-update + pull requests. +4. **Central preset:** routine update policy lives in + `z-shell/.github/renovate-config.json`. Repositories use automatic + organization preset discovery or explicitly extend + `local>z-shell/.github:renovate-config`. +5. **Conservative defaults:** the shared preset uses weekly scheduling, a + minimum release age, grouped updates, semantic commits, and no global + automerge. +6. **Repository exceptions stay local:** target branches, custom managers, or + specialized grouping belong in a small repository `renovate.json`. + +## Rollout and rollback + +Migration is staged per repository: + +1. Confirm the Renovate GitHub App can access the repository. +2. Confirm Renovate reads the shared preset and processes the repository. +3. Confirm the dependency graph, Dependabot alerts, and security updates remain + enabled in GitHub settings. +4. Remove `.github/dependabot.yml` to stop overlapping routine updates. + +If Renovate coverage is unavailable or fails, restore the repository's +Dependabot version-update configuration until coverage is healthy. A duplicate +routine update from both bots is a policy defect and must be resolved by +disabling the Dependabot version-update entry. + +## Consequences + +### Positive + +- One organization preset controls routine update policy. +- GitHub remains the native authority for vulnerability alerts and fixes. +- Renovate supplies broader manager coverage, custom managers, release-age + controls, grouping, and a Dependency Dashboard. +- Explicit ownership prevents duplicate update pull requests. +- Repository-specific configuration is limited to real exceptions. + +### Negative / costs + +- The Renovate GitHub App becomes an additional organization integration. +- App coverage and shared-preset validation must be monitored. +- Migration requires checking each repository before removing Dependabot + version updates. +- Maintainers must understand that deleting `dependabot.yml` does not disable + alerts or security updates configured in GitHub settings. + +### Neutral + +- Dependency pull requests still rely on repository CI and review policy. +- Security settings remain organization or repository settings rather than + files inherited from the `.github` repository. + +## Alternatives considered + +1. **Dependabot only:** Rejected because configuration remains duplicated and + has already drifted, while coverage and customization are narrower. +2. **Renovate only:** Rejected because GitHub already provides native + vulnerability alerts and security remediation without granting an external + app responsibility for the entire security path. +3. **Both tools for routine updates:** Rejected because it produces duplicate + pull requests, conflicting lock-file changes, excess CI usage, and ambiguous + ownership. + +## References + +- `decisions/0004-dependabot-unification.md` +- `runbooks/dependency-management.md` +- `renovate-config.json` +- [Renovate configuration presets](https://docs.renovatebot.com/config-presets/) +- [GitHub Dependabot security updates](https://docs.github.com/en/code-security/concepts/supply-chain-security/dependabot-security-updates) From 26dfb68693e93f77fcf36fba6a82ea50a648919c Mon Sep 17 00:00:00 2001 From: Sall Date: Sun, 21 Jun 2026 05:27:18 +0100 Subject: [PATCH 2/8] feat(deps): restore shared Renovate preset --- renovate-config.json | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 renovate-config.json diff --git a/renovate-config.json b/renovate-config.json new file mode 100644 index 000000000..c15f0bd4d --- /dev/null +++ b/renovate-config.json @@ -0,0 +1,40 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "description": "Z-Shell organization preset for routine dependency version updates", + "extends": [ + "config:best-practices", + ":semanticCommits" + ], + "timezone": "UTC", + "schedule": [ + "* 0-4 * * 1" + ], + "minimumReleaseAge": "3 days", + "dependencyDashboard": true, + "dependencyDashboardTitle": "Dependency Dashboard", + "labels": [ + "type:maintenance", + "area:dependencies" + ], + "automerge": false, + "packageRules": [ + { + "description": "Group GitHub Actions updates", + "matchManagers": [ + "github-actions" + ], + "groupName": "github actions" + }, + { + "description": "Group non-major updates by package manager", + "matchUpdateTypes": [ + "minor", + "patch", + "pin", + "digest" + ], + "groupName": "{{manager}} non-major updates", + "groupSlug": "{{manager}}-non-major" + } + ] +} From 6116704cbddfd32211b1fc11c84d8c6b5f6a3cde Mon Sep 17 00:00:00 2001 From: Sall Date: Sun, 21 Jun 2026 05:33:11 +0100 Subject: [PATCH 3/8] docs(deps): document hybrid update workflow --- .github/README.md | 43 +++++++---- AGENTS.md | 21 ++--- renovate-config.json | 25 ++---- runbooks/dependency-management.md | 124 ++++++++++++++++++++++++++++++ runbooks/new-repository.md | 21 +++-- 5 files changed, 183 insertions(+), 51 deletions(-) create mode 100644 runbooks/dependency-management.md diff --git a/.github/README.md b/.github/README.md index 21393fd26..cc6eb1cc4 100644 --- a/.github/README.md +++ b/.github/README.md @@ -17,7 +17,7 @@ ## About the `.github` Repository -The `.github` repository is a [special GitHub repository](https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file) that serves as the **organization-wide configuration hub**. Files placed here apply as defaults across all repositories in the [Z-Shell](https://github.com/z-shell) organization, without needing to duplicate them into every individual repository. +The `.github` repository is a [special GitHub repository](https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file) and the **organization-wide configuration hub**. GitHub inherits supported community health files and templates from here; reusable actions, workflow templates, Renovate policy, ADRs, and runbooks remain shared resources that repositories or maintainers reference explicitly. ### What Makes It Special @@ -29,7 +29,7 @@ The `.github` repository is a [special GitHub repository](https://docs.github.co | **Agent Memory Protocol** | `.github/AGENT_MEMORY.md` defines the GitHub-native handoff workflow used to keep cross-LLM and cross-repository progress visible. | | **Reusable Composite Actions** | The `actions/` directory hosts [composite actions](https://docs.github.com/en/actions/creating-actions/creating-a-composite-action) that any org repository can reference via `uses: z-shell/.github/actions/@main`. | | **Workflow Templates** | The `workflow-templates/` directory provides [starter workflows](https://docs.github.com/en/actions/using-workflows/creating-starter-workflows-for-your-organization) available in every org repository under **Actions > New workflow**. | -| **Shared Dependency Config** | `renovate-config.json` defines a shared [Renovate](https://docs.renovatebot.com/) preset that org repositories can extend for consistent automated dependency updates. | +| **Shared Dependency Config** | `renovate-config.json` defines the shared [Renovate](https://docs.renovatebot.com/) preset for routine version updates; GitHub Dependabot retains alerts and security updates. | > **Note:** The `.github` repository must be **public** for default community health files to apply across the organization. @@ -46,8 +46,7 @@ The `.github` repository is a [special GitHub repository](https://docs.github.co | [`profile/`](../profile/) | Organization profile — the README and visual assets displayed on the [org page](https://github.com/z-shell) | | [`actions/`](../actions/) | Reusable composite GitHub Actions shared across all org repositories | | [`workflow-templates/`](../workflow-templates/) | Starter workflow templates available in the **Actions > New workflow** tab | -| [`metrics/`](../metrics/) | Auto-generated organization metrics and analytics | -| [`renovate-config.json`](../renovate-config.json) | Shared Renovate bot preset for dependency updates | +| [`renovate-config.json`](../renovate-config.json) | Shared Renovate preset for routine dependency version updates | ### Community Health Files @@ -92,20 +91,26 @@ steps: Starter workflows available in every org repository under **Actions > New workflow**: -| Template | Description | -| --------------- | ------------------------------------------------------ | -| Trunk | Trunk code-quality workflow | -| Zsh CI | Starter Zsh CI workflow | -| Rclone Action | File sync with rclone | -| Project Tracker | Adds `meta:org-tracked` issues to the org-wide tracker | +| Template | Description | +| ------------- | --------------------------- | +| Trunk | Trunk code-quality workflow | +| Zsh CI | Starter Zsh CI workflow | +| Rclone Action | File sync with rclone | Label definitions live in [`./lib/labels.yml`](lib/labels.yml) and should be applied through org maintenance scripts or API-driven automation, not via a generic starter workflow template. -Tracker and project automation are documented in [`../runbooks/project-tracker.md`](../runbooks/project-tracker.md). Project 28 is the org-wide tracker, and issues labelled `meta:org-tracked` should be added there automatically by either the Project v2 built-in workflow or the repository workflow fallback. +Task tracking is documented in [`../runbooks/project-tracker.md`](../runbooks/project-tracker.md). -## Renovate +## Dependency Management -Shared [Renovate](https://docs.renovatebot.com/) preset for automated dependency updates. Reference from any org repository: +Z-Shell separates routine maintenance from security remediation: + +- [Renovate](https://docs.renovatebot.com/) owns routine dependency version updates. +- GitHub Dependabot owns dependency graph alerts and security update pull requests. + +Repositories must not configure both bots for routine version updates. Renovate +discovers the shared organization preset automatically during onboarding, or a +repository can reference it explicitly: ```json { @@ -114,6 +119,9 @@ Shared [Renovate](https://docs.renovatebot.com/) preset for automated dependency } ``` +See [`../runbooks/dependency-management.md`](../runbooks/dependency-management.md) +for onboarding, validation, migration, and rollback. + --- ## Common Use Cases @@ -123,17 +131,18 @@ This repository is the right place for any **organization-level** configuration: - **Adding a new default issue/PR template** — add it to `.github/ISSUE_TEMPLATE/` - **Updating agent instructions, ADRs, runbooks, or patterns** — edit `AGENTS.md`, `decisions/`, `runbooks/`, or `PATTERNS.md` - **Defining weekly review, ADR, or release coordination workflows** — add or update the relevant file under `runbooks/` -- **Recording cross-agent progress** — follow `.github/AGENT_MEMORY.md` and keep active state in issues, PRs, and the Z-Shell Tracker -- **Configuring tracker auto-add** — follow `../runbooks/project-tracker.md` +- **Recording cross-agent progress** — follow `.github/AGENT_MEMORY.md` and keep active state in issues, pull requests, and Linear +- **Managing organization task tracking** — follow `../runbooks/project-tracker.md` - **Updating the shared label set** — edit `.github/lib/labels.yml` and roll it out via the org's maintenance automation - **Cleaning legacy labels** — follow `../runbooks/labels.md` before deleting labels from live repositories - **Creating a reusable CI action** — add a composite action under `actions//action.yml` - **Providing a starter workflow** — add `.yml` + `.properties.json` to `workflow-templates/` - **Updating the organization profile** — edit `profile/README.md` or add assets to `profile/img/` - **Changing contribution or security policies** — edit the corresponding file in `.github/` -- **Updating shared Renovate config** — edit `renovate-config.json` +- **Updating dependency automation** — edit `renovate-config.json` and follow `../runbooks/dependency-management.md` -For repository-specific overrides, add the same file to that repository directly — it will take precedence over the defaults from here. +For a repository-specific Renovate exception, add a minimal `renovate.json` that +extends the organization preset and contains only the required override. ## Links diff --git a/AGENTS.md b/AGENTS.md index 6284835bb..7ed32d64d 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -25,15 +25,15 @@ The broad shapes are: Use the right home for each kind of knowledge: -| Kind of information | Source of truth | -| ---------------------------------- | ----------------------------------------------------- | -| Active work, blockers, next steps | GitHub issues, pull requests, and Linear | -| Private organizational heuristics | `memory/` folder in the root meta-workspace | -| Durable architectural decisions | `decisions/` in this repo | -| Cross-repo operational procedures | `runbooks/` in this repo | -| Reusable implementation idioms | `PATTERNS.md` in this repo | -| Long-form user and maintainer docs | `wiki/` where practical | -| Local LLM memory | Optional cache only, never the only record | +| Kind of information | Source of truth | +| ---------------------------------- | ------------------------------------------- | +| Active work, blockers, next steps | GitHub issues, pull requests, and Linear | +| Private organizational heuristics | `memory/` folder in the root meta-workspace | +| Durable architectural decisions | `decisions/` in this repo | +| Cross-repo operational procedures | `runbooks/` in this repo | +| Reusable implementation idioms | `PATTERNS.md` in this repo | +| Long-form user and maintainer docs | `wiki/` where practical | +| Local LLM memory | Optional cache only, never the only record | For handoffs, follow `.github/AGENT_MEMORY.md`. @@ -54,6 +54,7 @@ When working in z-shell repositories, optimize for: - **Commits and PR titles:** Conventional Commits. See `decisions/0003-conventional-commits.md`. - **Documentation placement:** keep long-form docs in the wiki when practical; keep repo-local docs focused on policy, workflow, and source-adjacent guidance. - **Workflow files:** follow the org workflow conventions and keep permissions explicit, actions pinned, and concurrency defined. +- **Dependency updates:** Renovate owns routine version updates; GitHub Dependabot owns vulnerability alerts and security updates. See `runbooks/dependency-management.md`. ## Before editing @@ -96,6 +97,7 @@ For recurring organization workflows, prefer the runbooks and keep the first pas - weekly org review: `runbooks/org-review.md` - issue and PR triage: `runbooks/triage.md` - label maintenance: `runbooks/labels.md` +- dependency management: `runbooks/dependency-management.md` - project tracker automation: `runbooks/project-tracker.md` - new-repository bootstrap: `runbooks/new-repository.md` - ADR drafting: `runbooks/adr.md` @@ -139,6 +141,7 @@ Do not silently work around drift. Open or update an issue in `z-shell/.github`, - `decisions/` - `runbooks/org-review.md` - `runbooks/adr.md` +- `runbooks/dependency-management.md` - `runbooks/labels.md` - `runbooks/new-repository.md` - `runbooks/project-tracker.md` diff --git a/renovate-config.json b/renovate-config.json index c15f0bd4d..1630552c3 100644 --- a/renovate-config.json +++ b/renovate-config.json @@ -1,38 +1,23 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "description": "Z-Shell organization preset for routine dependency version updates", - "extends": [ - "config:best-practices", - ":semanticCommits" - ], + "extends": ["config:best-practices", ":semanticCommits"], "timezone": "UTC", - "schedule": [ - "* 0-4 * * 1" - ], + "schedule": ["* 0-4 * * 1"], "minimumReleaseAge": "3 days", "dependencyDashboard": true, "dependencyDashboardTitle": "Dependency Dashboard", - "labels": [ - "type:maintenance", - "area:dependencies" - ], + "labels": ["type:maintenance", "area:dependencies"], "automerge": false, "packageRules": [ { "description": "Group GitHub Actions updates", - "matchManagers": [ - "github-actions" - ], + "matchManagers": ["github-actions"], "groupName": "github actions" }, { "description": "Group non-major updates by package manager", - "matchUpdateTypes": [ - "minor", - "patch", - "pin", - "digest" - ], + "matchUpdateTypes": ["minor", "patch", "pin", "digest"], "groupName": "{{manager}} non-major updates", "groupSlug": "{{manager}}-non-major" } diff --git a/runbooks/dependency-management.md b/runbooks/dependency-management.md new file mode 100644 index 000000000..cf532bfd6 --- /dev/null +++ b/runbooks/dependency-management.md @@ -0,0 +1,124 @@ +# Runbook — Dependency Management + +Use this runbook to configure or troubleshoot dependency automation across +Z-Shell repositories. + +## Ownership boundary + +Z-Shell uses two services with separate responsibilities: + +| Service | Responsibility | +| ----------------- | ------------------------------------------------------------------------- | +| GitHub Dependabot | Dependency graph, vulnerability alerts, and security update pull requests | +| Renovate | Routine dependency version update pull requests | + +Do not configure both services to create routine version updates in the same +repository. The split avoids duplicate pull requests, lock-file conflicts, and +unnecessary CI runs. + +The governing proposal is +`decisions/0012-hybrid-dependency-management.md`. Until that ADR is accepted on +`main`, ADR 0004 remains the accepted policy and rollout changes should stay on +their feature branch. + +## Required GitHub security settings + +For every actively maintained repository, enable: + +1. dependency graph; +2. Dependabot alerts; +3. Dependabot security updates. + +These are GitHub repository or organization security settings. They are not +enabled by `renovate-config.json`, and they do not require a +`.github/dependabot.yml` file. + +## Renovate organization preset + +Routine update policy lives in the public organization repository: + +```text +z-shell/.github/renovate-config.json +``` + +Renovate discovers this preset during organization onboarding. A repository may +also reference it explicitly: + +```json +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["local>z-shell/.github:renovate-config"] +} +``` + +Keep repository configuration small. Add `renovate.json` only for a real +exception, such as a non-default target branch: + +```json +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["local>z-shell/.github:renovate-config"], + "baseBranches": ["next"] +} +``` + +Custom managers and specialized package grouping also belong in the repository +that needs them. + +## Migrating a repository + +Do not remove Dependabot version updates until Renovate coverage is proven. + +1. Confirm the Renovate GitHub App has access to the repository. +2. Confirm Renovate opens an onboarding/configuration pull request or processes + the repository using the organization preset. +3. Confirm dependency graph, Dependabot alerts, and Dependabot security updates + remain enabled in GitHub settings. +4. Add a minimal `renovate.json` only when the repository needs an override. +5. Delete `.github/dependabot.yml` to stop routine Dependabot version updates. +6. Confirm subsequent routine update pull requests come only from Renovate. + +The safe migration set is the intersection of repositories with Renovate App +coverage and repositories currently containing `.github/dependabot.yml`. + +## Validation + +Validate the shared preset or a repository override with Renovate itself: + +```sh +npx --yes --package renovate renovate-config-validator renovate-config.json +``` + +For a repository override, replace the final path with `renovate.json`. +`jq empty` checks JSON syntax, but it does not prove that Renovate recognizes +every option. + +## Duplicate pull requests + +If both bots open routine updates: + +1. identify which package and manager overlap; +2. confirm Renovate is processing the shared preset; +3. remove the matching Dependabot version-update entry or the whole + `.github/dependabot.yml`; +4. close the duplicate pull request only after choosing the update to retain. + +Dependabot security update pull requests are expected and are not an overlap +with Renovate's routine update ownership. + +## Rollback + +If Renovate cannot access or process a repository: + +1. restore that repository's last known-good `.github/dependabot.yml`; +2. validate its ecosystems, directories, schedule, and target branch; +3. investigate Renovate App access or preset validation; +4. remove the temporary Dependabot version-update configuration only after + Renovate coverage is healthy again. + +## See also + +- `decisions/0004-dependabot-unification.md` +- `decisions/0012-hybrid-dependency-management.md` +- `renovate-config.json` +- `runbooks/new-repository.md` diff --git a/runbooks/new-repository.md b/runbooks/new-repository.md index 2fcbc5b70..ace85e852 100644 --- a/runbooks/new-repository.md +++ b/runbooks/new-repository.md @@ -18,8 +18,8 @@ project-specific behavior. 3. Add the clone to the private meta-workspace `.gitmodules` and `workspace/repos.yml`. Do not put local paths, credentials, or machine facts in the public repository. -4. Apply canonical labels via `runbooks/labels.md` and verify project-tracker - enrollment via `runbooks/project-tracker.md`. +4. Apply canonical labels via `runbooks/labels.md` and configure task tracking + through `runbooks/project-tracker.md`. ## Step 2 — Create the common repository envelope @@ -97,8 +97,6 @@ Start from the organization workflow templates: - `workflow-templates/zsh-ci.yml` for Zsh syntax and smoke validation - `workflow-templates/trunk.yml` for Trunk Code Quality -- `workflow-templates/project-tracker.yml` when repository issues must be - enrolled in the organization tracker Follow `PATTERNS.md`: pin action and reusable-workflow references to immutable commit SHAs with readable version or branch comments. Declare top-level @@ -107,7 +105,19 @@ permissions and concurrency for push and pull-request workflows. Add release automation only when the release class requires it. Plugins and annexes consumed directly from Git usually need validation only. -## Step 5 — Verify before publication +## Step 5 — Configure dependency automation + +Follow `runbooks/dependency-management.md`: + +1. Grant the Renovate GitHub App access to the repository. +2. Confirm Renovate discovers `z-shell/.github/renovate-config.json`. +3. Enable the dependency graph, Dependabot alerts, and Dependabot security + updates in GitHub settings. +4. Add `renovate.json` only for a repository-specific exception such as a + `next` target branch. +5. Do not add `.github/dependabot.yml` for routine version updates. + +## Step 6 — Verify before publication Before opening the bootstrap pull request: @@ -135,6 +145,7 @@ Reusable screenshot and terminal-demo generation is tracked separately in - `AGENTS.md` - `PATTERNS.md` +- `runbooks/dependency-management.md` - `runbooks/labels.md` - `runbooks/project-tracker.md` - `runbooks/release.md` From 434eee0c5ce573ec70b1fc3b5965b03f3e71e455 Mon Sep 17 00:00:00 2001 From: Sall Date: Sun, 21 Jun 2026 05:34:10 +0100 Subject: [PATCH 4/8] chore(deps): delegate version updates to Renovate --- .github/dependabot.yml | 10 ---------- renovate.json | 4 ++++ 2 files changed, 4 insertions(+), 10 deletions(-) delete mode 100644 .github/dependabot.yml create mode 100644 renovate.json diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index d8374ba77..000000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,10 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" - - package-ecosystem: "docker" - directory: "/actions/rclone/" - schedule: - interval: "weekly" diff --git a/renovate.json b/renovate.json new file mode 100644 index 000000000..cd0763e74 --- /dev/null +++ b/renovate.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["local>z-shell/.github:renovate-config"] +} From 8e66114ccb906e2a638cd7be564d65678f6d6a6d Mon Sep 17 00:00:00 2001 From: Sall Date: Sun, 21 Jun 2026 05:35:11 +0100 Subject: [PATCH 5/8] docs(deps): link staged rollout issue --- decisions/0012-hybrid-dependency-management.md | 1 + 1 file changed, 1 insertion(+) diff --git a/decisions/0012-hybrid-dependency-management.md b/decisions/0012-hybrid-dependency-management.md index 08460ffc5..c3cf91fc5 100644 --- a/decisions/0012-hybrid-dependency-management.md +++ b/decisions/0012-hybrid-dependency-management.md @@ -106,6 +106,7 @@ disabling the Dependabot version-update entry. ## References +- [Issue #452 — Migrate repositories to hybrid Renovate ownership](https://github.com/z-shell/.github/issues/452) - `decisions/0004-dependabot-unification.md` - `runbooks/dependency-management.md` - `renovate-config.json` From 6e4fb03a7008338d900aafcdb439fac048c3324f Mon Sep 17 00:00:00 2001 From: Sall Date: Sun, 21 Jun 2026 05:35:51 +0100 Subject: [PATCH 6/8] fix(deps): preserve GitHub Actions grouping --- renovate-config.json | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/renovate-config.json b/renovate-config.json index 1630552c3..48ffa1d5b 100644 --- a/renovate-config.json +++ b/renovate-config.json @@ -10,16 +10,17 @@ "labels": ["type:maintenance", "area:dependencies"], "automerge": false, "packageRules": [ - { - "description": "Group GitHub Actions updates", - "matchManagers": ["github-actions"], - "groupName": "github actions" - }, { "description": "Group non-major updates by package manager", "matchUpdateTypes": ["minor", "patch", "pin", "digest"], "groupName": "{{manager}} non-major updates", "groupSlug": "{{manager}}-non-major" + }, + { + "description": "Group GitHub Actions updates", + "matchManagers": ["github-actions"], + "groupName": "github actions", + "groupSlug": "github-actions" } ] } From d9b575ab6de5c39925e7ec8d4b8e2af5bc92cab5 Mon Sep 17 00:00:00 2001 From: Sall Date: Sun, 21 Jun 2026 05:41:47 +0100 Subject: [PATCH 7/8] fix(deps): limit initial Renovate update volume --- renovate-config.json | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/renovate-config.json b/renovate-config.json index 48ffa1d5b..df914d783 100644 --- a/renovate-config.json +++ b/renovate-config.json @@ -8,6 +8,8 @@ "dependencyDashboard": true, "dependencyDashboardTitle": "Dependency Dashboard", "labels": ["type:maintenance", "area:dependencies"], + "prConcurrentLimit": 5, + "prHourlyLimit": 2, "automerge": false, "packageRules": [ { @@ -17,10 +19,11 @@ "groupSlug": "{{manager}}-non-major" }, { - "description": "Group GitHub Actions updates", + "description": "Group non-major GitHub Actions updates", "matchManagers": ["github-actions"], - "groupName": "github actions", - "groupSlug": "github-actions" + "matchUpdateTypes": ["minor", "patch", "pin", "digest"], + "groupName": "github actions non-major updates", + "groupSlug": "github-actions-non-major" } ] } From 6a816e2a24296013deaa85c4acc4b5398dcbeb28 Mon Sep 17 00:00:00 2001 From: Sall Date: Sun, 21 Jun 2026 05:43:23 +0100 Subject: [PATCH 8/8] docs(deps): record maintainer acceptance --- decisions/0004-dependabot-unification.md | 2 +- decisions/0012-hybrid-dependency-management.md | 4 ++-- runbooks/dependency-management.md | 7 +++---- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/decisions/0004-dependabot-unification.md b/decisions/0004-dependabot-unification.md index 86733e610..83459ce3b 100644 --- a/decisions/0004-dependabot-unification.md +++ b/decisions/0004-dependabot-unification.md @@ -4,7 +4,7 @@ - **Date:** 2026-05-20 - **Deciders:** ss-o, Gemini CLI - **Supersedes:** None -- **Superseded by:** Proposed: `decisions/0012-hybrid-dependency-management.md` +- **Superseded by:** `decisions/0012-hybrid-dependency-management.md` ## Context diff --git a/decisions/0012-hybrid-dependency-management.md b/decisions/0012-hybrid-dependency-management.md index c3cf91fc5..238a5e372 100644 --- a/decisions/0012-hybrid-dependency-management.md +++ b/decisions/0012-hybrid-dependency-management.md @@ -1,8 +1,8 @@ # 12. Split Dependency Updates Between Renovate and Dependabot -- **Status:** PROPOSED +- **Status:** ACCEPTED - **Date:** 2026-06-21 -- **Deciders:** None until accepted +- **Deciders:** ss-o - **Supersedes:** `decisions/0004-dependabot-unification.md` - **Superseded by:** None diff --git a/runbooks/dependency-management.md b/runbooks/dependency-management.md index cf532bfd6..a42b77e04 100644 --- a/runbooks/dependency-management.md +++ b/runbooks/dependency-management.md @@ -16,10 +16,9 @@ Do not configure both services to create routine version updates in the same repository. The split avoids duplicate pull requests, lock-file conflicts, and unnecessary CI runs. -The governing proposal is -`decisions/0012-hybrid-dependency-management.md`. Until that ADR is accepted on -`main`, ADR 0004 remains the accepted policy and rollout changes should stay on -their feature branch. +The governing decision is `decisions/0012-hybrid-dependency-management.md`. +ADR 0004 remains the live policy until the superseding ADR and its +configuration reach `main`. ## Required GitHub security settings