Skip to content

feat(renovate): onboard Renovate with fleet-standard config#152

Open
williaby wants to merge 1 commit into
mainfrom
feat/renovate-onboard
Open

feat(renovate): onboard Renovate with fleet-standard config#152
williaby wants to merge 1 commit into
mainfrom
feat/renovate-onboard

Conversation

@williaby

@williaby williaby commented Jun 4, 2026

Copy link
Copy Markdown
Owner

Summary

Onboards Renovate to this repo with a fleet-standard config modeled on the sibling williaby/image-generation renovate.json (same schema, extends/presets, scheduling, labels, packageRules shape, and vulnerability settings).

enabledManagers (verified against actual manifests)

  • poetry and pip_requirements — Python deps: pyproject.toml [tool.poetry] + poetry.lock, plus the exported requirements.txt
  • dockerfile — Dockerfile (FROM python:3.11-slim)
  • github-actions — .github/workflows/
  • pre-commit — .pre-commit-config.yaml

docker-compose.yml uses only build: . (no pinnable image: refs), so the docker-compose manager is intentionally omitted. No open-pull-requests-limit: this is real PR-opening Renovate config (uses prConcurrentLimit: 5 per the fleet sibling).

.gitignore change

A blanket *.json ignore was hiding renovate.json; added a !renovate.json negation so the config is tracked while the security-artifact ignore stays intact.

Validation

renovate-config-validator (via npx renovate): Config validated successfully. The validator notes transitiveRemediation is deprecated in the current schema; retained for parity with the fleet sibling (informational, not an error).

Notes

  • Pre-existing repo debt: the semgrep and vulture pre-commit hooks (both pass_filenames: false full-tree Nox sessions) fail on a private-source (assured-oss / us-python.pkg.dev) authorization error, reproduced identically on clean origin/main. Skipped via SKIP= for this commit; not related to this change. All file-scoped hooks passed.
  • Follow-up: instance-side Renovate scan-list onboarding still required so the app actually picks up this repo.

Generated with Claude Code

Add a fleet-standard renovate.json modeled on williaby/image-generation,
adapted to this repo's actual manifests. enabledManagers covers poetry and
pip_requirements (Python: pyproject [tool.poetry] + poetry.lock and the
exported requirements.txt), dockerfile (Dockerfile), github-actions, and
pre-commit. Add a !renovate.json negation to .gitignore so the config is
tracked despite the blanket *.json security-artifact ignore.

SKIP=semgrep,vulture: both are pass_filenames:false Nox hooks that fail on a
pre-existing private-source (assured-oss) auth error unrelated to this change;
reproduced identically on clean origin/main.
Copilot AI review requested due to automatic review settings June 4, 2026 14:26
@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 18 minutes and 21 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 184cf438-ee85-4b3f-ba52-f8fea0b9d1cd

📥 Commits

Reviewing files that changed from the base of the PR and between ca3bfe5 and 90aee4e.

📒 Files selected for processing (2)
  • .gitignore
  • renovate.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/renovate-onboard

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR onboards Renovate to the repository by adding a fleet-standard renovate.json configuration and adjusting .gitignore so the Renovate config is tracked despite a blanket *.json ignore.

Changes:

  • Add a Renovate configuration (renovate.json) with scheduling, grouping/automerge rules, enabled managers, and vulnerability alert settings.
  • Update .gitignore to ensure renovate.json is not ignored by the existing *.json rule.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
renovate.json Introduces Renovate onboarding configuration (managers, scheduling, packageRules, vulnerability settings).
.gitignore Re-includes renovate.json so Renovate config can be committed even with *.json ignored.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread renovate.json
Comment on lines +89 to +90
"osvVulnerabilityAlerts": true,
"transitiveRemediation": true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants