Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ ledgerbase_secure_env/service-account.plain.json
# Security and audit artifacts
*.sarif
*.json
# Renovate config must be tracked at repo root despite the blanket *.json ignore
!renovate.json
safety_output.txt
semgrep-results.json
license-report.json
Expand Down
91 changes: 91 additions & 0 deletions renovate.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":dependencyDashboard",
":semanticCommits",
":preserveSemverRanges"
],
"timezone": "America/New_York",
"schedule": [
"after 10pm every weekday",
"before 5am every weekday",
"every weekend"
],
"labels": [
"dependencies",
"automated"
],
"assignees": [
"ByronWilliamsCPA"
],
"reviewers": [
"ByronWilliamsCPA"
],
"packageRules": [
{
"description": "Auto-merge GitHub Actions minor/patch updates",
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true,
"automergeType": "pr",
"automergeStrategy": "squash"
},
{
"description": "Group GitHub Actions updates",
"matchManagers": ["github-actions"],
"groupName": "GitHub Actions",
"commitMessageTopic": "GitHub Actions"
},
{
"description": "Pin GitHub Actions to commit SHA",
"matchManagers": ["github-actions"],
"pinDigests": true
},
{
"description": "Name Python dependency PRs by package. This repo uses Poetry (pyproject.toml [tool.poetry] plus poetry.lock) as the dependency source, with a generated requirements.txt exported for tooling; both pip-family managers are matched so updates stay aligned.",
"matchManagers": ["poetry", "pip_requirements"],
"groupName": "Python dep {{depName}}",
"commitMessageTopic": "Python dependency {{depName}}"
},
{
"description": "Disable automated Python version (requires-python) updates; bump manually when ready",
"matchDepTypes": ["requires-python"],
"enabled": false,
"labels": ["dependencies", "python-version", "breaking-change"]
},
{
"description": "Refresh SHA pins for org reusable workflows that float the v1 tag. pinDigests (rule 3) handles the initial pin; this rule groups the digest-refresh PRs for ByronWilliamsCPA/.github and williaby/.github so they don't generate noise as individual updates.",
"matchManagers": ["github-actions"],
"matchPackageNames": ["/ByronWilliamsCPA\\/\\.github/", "/williaby\\/\\.github/"],
"groupName": "Org workflow SHA pins"
}
],
"enabledManagers": [
"poetry",
"pip_requirements",
"dockerfile",
"github-actions",
"pre-commit"
],
"lockFileMaintenance": {
"enabled": true,
"schedule": ["before 5am on monday"],
"commitMessageAction": "Refresh"
},
"separateMajorMinor": true,
"separateMinorPatch": false,
"prConcurrentLimit": 5,
"rebaseWhen": "conflicted",
"semanticCommits": "enabled",
"commitMessagePrefix": "chore(deps):",
"rangeStrategy": "bump",
"vulnerabilityAlerts": {
"enabled": true,
"labels": ["security"],
"assignees": ["ByronWilliamsCPA"],
"reviewers": ["ByronWilliamsCPA"]
},
"osvVulnerabilityAlerts": true,
"transitiveRemediation": true
Comment on lines +89 to +90
}
Loading