From 3f19dc0ba4ba965dcbfcf75b0d7aa5d356237f01 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 14 May 2026 16:35:25 +0000 Subject: [PATCH 1/5] Add renovate.json --- renovate.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..5db72dd --- /dev/null +++ b/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended" + ] +} From 08d55ca4daeb8b8540a58f6bf64ed323f5ea4141 Mon Sep 17 00:00:00 2001 From: Alice Wong Date: Thu, 14 May 2026 18:04:53 +0100 Subject: [PATCH 2/5] Rename `renovate.json` --- renovate.json => renovate.json5 | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename renovate.json => renovate.json5 (100%) diff --git a/renovate.json b/renovate.json5 similarity index 100% rename from renovate.json rename to renovate.json5 From 2146b4d962d4c6e0d5250f40872116aec239b589 Mon Sep 17 00:00:00 2001 From: Alice Wong Date: Thu, 14 May 2026 18:05:35 +0100 Subject: [PATCH 3/5] Add custom Renovate configuration --- renovate.json5 | 117 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 115 insertions(+), 2 deletions(-) diff --git a/renovate.json5 b/renovate.json5 index 5db72dd..521fa86 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -1,6 +1,119 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ - "config:recommended" - ] + // Start with the Renovate recommended config + // https://docs.renovatebot.com/presets-config/#configrecommended + "config:recommended", + // ensure all GHA are pinned to digests + // https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests + "helpers:pinGitHubActionDigests", + // report on abandoned pacakges + // https://docs.renovatebot.com/presets-abandonments/ + "abandonments:recommended", + // We don't want automated docker/docker-compose/Dockerfile updates + "docker:disable", + // Add the nice badges to PRs + // https://docs.renovatebot.com/presets-mergeConfidence/#mergeconfidenceall-badges + "mergeConfidence:all-badges" + ], + // Label all Reonvate PRs with "dependencies" + "labels": ["dependencies"], + // + // NOTE: lockFileMaintenance is currently disabled as it doesn't respect the + // minimumReleaseAge for uv. An open PR for adding it has been put on hold for now. + // https://github.com/renovatebot/renovate/pull/41913#issuecomment-4231423178 + // Instead, for now we use the update-dependencies-action to update the + // uv lockfile + "lockFileMaintenance": { "enabled": false}, + // update transitive deps by updating the entire lockfile + // We run this on the same schedule; add a note for the reviewer to do the + // default dependencies first to reduce the amount needed for review in the + // full lockfile update + // "lockFileMaintenance": { + // "enabled": true, + // "minimumReleaseAge": "7 days", + // "schedule": [ + // "* 0-3 * * WED" + // ], + // "prBodyNotes": [":information_source: Before reviewing this PR, merge any prod/dev dependency PRs and rebase."] + // }, + // + // Note package rules apply only to direct dependencies + // group dependencies by dev/prod, cooldown 7 days, run early Wed mornings + // rangeStrategy: widen expands the range when a new version is found and updates the lockfile (with respect to the cooldown). + // Assumes that the repo has upper limits (<=) set on pyproject.toml dependencies + // Note that we can't (as of 2026-03-20 at least) use the "bump" strategy to always bump versions. This expands + // the pyproject.toml range with respect to the cooldown, but DOESN'T respect the cooldown when it updates the + // lockfile, which results in a conflict with MinimumReleaseAge. + "packageRules": [ + // don't auto-update python-version or node-version, we want to manage these updates ourselves + { + "matchManagers": ["pyenv", "nodenv"], + "enabled": false + }, + // don't auto-update requires-python in pyproject.toml + { + matchDepTypes: ["requires-python"], + enabled: false, + }, + // We handle github runners (ubuntu versions etc) manually + { + "matchDatasources": ["github-runners"], + "enabled": false + }, + // pep621 covers pyproject.toml and uv.lock files + // https://docs.renovatebot.com/modules/manager/pep621/ + { + "matchManagers": ["pep621"], + "matchDepTypes": ["dependency-groups", "tool.uv.dev-dependencies"], + "addLabels": ["python"], + "groupName": "python dev dependencies", + "rangeStrategy": "widen", + "minimumReleaseAge": "7 days", + "schedule": [ + "* 0-3 * * WED" + ], + }, + { + "matchManagers": ["pep621"], + "matchDepTypes": ["project.dependencies", "project.optional-dependencies", "tool.uv.sources"], + "addLabels": ["python"], + "groupName": "python prod dependencies", + "rangeStrategy": "widen", + "minimumReleaseAge": "7 days", + "schedule": [ + "* 0-3 * * WED" + ], + }, + { + "matchManagers": ["github-actions"], + "groupName": "GitHub Actions", + "addLabels": ["actions"], + "minimumReleaseAge": "7 days", + "schedule": [ + "* 0-3 * * WED" + ] + }, + // disable minimumReleaseAge for pinDigest to avoid the stability-days check showing as pending + // when Renovate opens a PR for pinning GHA dependencies to digests + { + "description": "Disable minimumReleaseAge for pinDigest update types", + "matchUpdateTypes": ["pinDigest"], + "minimumReleaseAge": null, + }, + // EXAMPLE: If required, pin a specific dependency to an upper allowed version + // Otherwise renovate will use the general "widen" strategy to change the upper limit in pyproject.toml + // and will bump it anyway + // { + // "matchManagers": ["pep621"], + // "matchDepNames": ["Django"], + // "allowedVersions": "<6.0" + // }, + ], + // Include vulnerability alerts; this uses dependabot and requires that depenency graph and + // dependabot alerts are enabled in the repo + // https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts + "vulnerabilityAlerts": { + "addLabels": ["security"] + } } From 55a9c057a4ba6af40f7831bfab103ea5d976e526 Mon Sep 17 00:00:00 2001 From: Alice Wong Date: Fri, 15 May 2026 10:43:47 +0100 Subject: [PATCH 4/5] Add `just check-renovate-config` recipe --- justfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/justfile b/justfile index 0ad02b0..7024cc2 100644 --- a/justfile +++ b/justfile @@ -106,6 +106,9 @@ check-lockfile: rc=0 uv lock --check +check-renovate-config: + npx --yes --package renovate -- renovate-config-validator + # Fix formatting, import sort ordering, and justfile fix: -uv run ruff check --fix . From 472e686cf47c9a9fd9bd58943fe066fb28eaf8a6 Mon Sep 17 00:00:00 2001 From: Alice Wong Date: Fri, 15 May 2026 13:05:50 +0100 Subject: [PATCH 5/5] Rename `requirements.uvmirror.txt` If the mirror file ends with `.txt`, Renovate gets a bit confused and tries to propose updates for Python dependencies outside of the configured prod/dev/lockfile maintenance groupings. --- justfile | 2 +- requirements.uvmirror.txt => requirements.uvmirror | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename requirements.uvmirror.txt => requirements.uvmirror (100%) diff --git a/justfile b/justfile index 7024cc2..4dadd47 100644 --- a/justfile +++ b/justfile @@ -38,7 +38,7 @@ upgrade-all cooldown="7 days ago": && devenv uv lock --upgrade --exclude-newer "{{ cooldown }}" # update the uv mirror requirements file -uvmirror file="requirements.uvmirror.txt": +uvmirror file="requirements.uvmirror": rm -f {{ file }} uv export --format requirements-txt --frozen --no-hashes --all-groups --all-extras > {{ file }} diff --git a/requirements.uvmirror.txt b/requirements.uvmirror similarity index 100% rename from requirements.uvmirror.txt rename to requirements.uvmirror