From 90aee4e6b2db75b0d4ddb55979f14035fae1c237 Mon Sep 17 00:00:00 2001 From: Byron Williams Date: Thu, 4 Jun 2026 07:26:23 -0700 Subject: [PATCH] feat(renovate): onboard Renovate with fleet-standard config Add a fleet-standard renovate.json modeled on williaby/image-generation, adapted to this repo's actual manifests. enabledManagers covers poetry and pip_requirements (Python: pyproject [tool.poetry] + poetry.lock and the exported requirements.txt), dockerfile (Dockerfile), github-actions, and pre-commit. Add a !renovate.json negation to .gitignore so the config is tracked despite the blanket *.json security-artifact ignore. SKIP=semgrep,vulture: both are pass_filenames:false Nox hooks that fail on a pre-existing private-source (assured-oss) auth error unrelated to this change; reproduced identically on clean origin/main. --- .gitignore | 2 ++ renovate.json | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 renovate.json diff --git a/.gitignore b/.gitignore index 6caed2b..6a4aea5 100644 --- a/.gitignore +++ b/.gitignore @@ -51,6 +51,8 @@ ledgerbase_secure_env/service-account.plain.json # Security and audit artifacts *.sarif *.json +# Renovate config must be tracked at repo root despite the blanket *.json ignore +!renovate.json safety_output.txt semgrep-results.json license-report.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..8c4263f --- /dev/null +++ b/renovate.json @@ -0,0 +1,91 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":dependencyDashboard", + ":semanticCommits", + ":preserveSemverRanges" + ], + "timezone": "America/New_York", + "schedule": [ + "after 10pm every weekday", + "before 5am every weekday", + "every weekend" + ], + "labels": [ + "dependencies", + "automated" + ], + "assignees": [ + "ByronWilliamsCPA" + ], + "reviewers": [ + "ByronWilliamsCPA" + ], + "packageRules": [ + { + "description": "Auto-merge GitHub Actions minor/patch updates", + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["minor", "patch"], + "automerge": true, + "automergeType": "pr", + "automergeStrategy": "squash" + }, + { + "description": "Group GitHub Actions updates", + "matchManagers": ["github-actions"], + "groupName": "GitHub Actions", + "commitMessageTopic": "GitHub Actions" + }, + { + "description": "Pin GitHub Actions to commit SHA", + "matchManagers": ["github-actions"], + "pinDigests": true + }, + { + "description": "Name Python dependency PRs by package. This repo uses Poetry (pyproject.toml [tool.poetry] plus poetry.lock) as the dependency source, with a generated requirements.txt exported for tooling; both pip-family managers are matched so updates stay aligned.", + "matchManagers": ["poetry", "pip_requirements"], + "groupName": "Python dep {{depName}}", + "commitMessageTopic": "Python dependency {{depName}}" + }, + { + "description": "Disable automated Python version (requires-python) updates; bump manually when ready", + "matchDepTypes": ["requires-python"], + "enabled": false, + "labels": ["dependencies", "python-version", "breaking-change"] + }, + { + "description": "Refresh SHA pins for org reusable workflows that float the v1 tag. pinDigests (rule 3) handles the initial pin; this rule groups the digest-refresh PRs for ByronWilliamsCPA/.github and williaby/.github so they don't generate noise as individual updates.", + "matchManagers": ["github-actions"], + "matchPackageNames": ["/ByronWilliamsCPA\\/\\.github/", "/williaby\\/\\.github/"], + "groupName": "Org workflow SHA pins" + } + ], + "enabledManagers": [ + "poetry", + "pip_requirements", + "dockerfile", + "github-actions", + "pre-commit" + ], + "lockFileMaintenance": { + "enabled": true, + "schedule": ["before 5am on monday"], + "commitMessageAction": "Refresh" + }, + "separateMajorMinor": true, + "separateMinorPatch": false, + "prConcurrentLimit": 5, + "rebaseWhen": "conflicted", + "semanticCommits": "enabled", + "commitMessagePrefix": "chore(deps):", + "rangeStrategy": "bump", + "vulnerabilityAlerts": { + "enabled": true, + "labels": ["security"], + "assignees": ["ByronWilliamsCPA"], + "reviewers": ["ByronWilliamsCPA"] + }, + "osvVulnerabilityAlerts": true, + "transitiveRemediation": true +}