@SonarSource/renovate-config

Shareable config for Renovate.

Presets

Rebase policy

The organization defaults to manual rebasing by setting rebaseWhen to never in the shared default preset. This avoids large CI spikes when many Renovate PRs are open.

When a Renovate PR must be rebased, do it manually from the Renovate UI:

1. Open developer.mend.io and log in with GitHub.
2. Select the Renovate app (not Forking Renovate).
3. Open your repository and the target Renovate PR.
4. Trigger a manual rebase from the UI (Rebase action).

Use manual rebasing only when needed (for example, merge conflicts, outdated base branch, or required checks that need a fresh branch).

default

  "extends": ["github>SonarSource/renovate-config"]

Dependency grouping

To reduce Renovate PR volume, the shared default preset groups updates by manager using packageRules. Manager-based groups currently include: github-actions, maven, gradle (including gradle-wrapper), npm, poetry, pipenv, pip_requirements, nuget, terraform, helmfile, and mise. The preset also includes an additional non-manager grouping rule that groups all mise updates together.

Authentication

Provides authentication credentials to https://repox.jfrog.io. The following package managers were tested for compatibility: npm, maven, gradle, pipenv, poetry, and nuget.

Note: authentication only works when Renovate is executed using the GitHub app. If you are running locally, see the instructions at local-testing.

dev-infra-squad

  "extends": ["github>SonarSource/renovate-config:dev-infra-squad"]

Enables the github-actions manager and custom managers for updating Amazon Machine Images, Cirrus CI modules, and Cirrus CI CLI.

AWS Machine Images in Terraform and Packer projects

Replaces version strings in *.pkrvars.hcl and *.tfvars files.

Example

# amiFilter=[{"Name":"image-type","Values":["machine"]},{"Name":"name","Values":["sonar-image"]},{"Name":"state","Values":["available"]},{"Name":"is-public","Values":["false"]}]
# currentImageName=sonar-image-1.0
sonar_ami_id = "ami-123456789012"

amis = {
  # amiFilter=[{"Name":"image-type","Values":["machine"]},{"Name":"name","Values":["sonar-image"]},{"Name":"state","Values":["available"]},{"Name":"is-public","Values":["false"]}]
  # currentImageName=sonar-image-1.0
  "ubuntu-20.04" = "ami-123456789012"
}

• amiFilter: Use the DescribeImages filter parameter in minified JSON format.
• currentImageName: The name of the current image. Managed by renovate.
• image_id: The ID of the current image. Managed by renovate.

AWS Machine Images in Helm gotmpl files

Replaces AMI IDs in Helm *.gotmpl files (e.g. Karpenter EC2NodeClass values). Uses the same aws-machine-image datasource.

Example

# renovate: amiFilter=[{"Name":"image-type","Values":["machine"]},{"Name":"name","Values":["sonar-amazon-eks-node-1-32 *"]},{"Name":"state","Values":["available"]},{"Name":"is-public","Values":["false"]}]
# currentImageName=sonar-amazon-eks-node-1-32 2026-02-09T14-00-00.000000Z
{{- $karpenter_ami_id := "ami-0b900a757ae0f2a4c" }}

• Supports both # amiFilter= and # renovate: amiFilter= prefixes
• currentImageName: Image name and timestamp. Managed by Renovate
• The Go template variable ($var := "ami-xxx") is automatically updated

AWS Machine Images in CDK projects

Replaces version strings in cdk.context.json files. Works with LookupMachineImage. Only the name parameter is used by the manager. Any additional parameters such as filters are ignored.

Cirrus CI modules in the main Starlark files

Replaces Cirrus CI modules version or digest strings in .cirrus.star and lib.star files.

Example

# renovate: datasource=github-releases depName=SonarSource/cirrus-modules
load("github.com/SonarSource/cirrus-modules@2.9.0", "load_features")

# renovate: datasource=github-releases depName=SonarSource/cirrus-modules
load("github.com/SonarSource/cirrus-modules@54babd3268dd6daf42ad877100789169a14e5fb3", "load_features")  # 2.9.0

ghcr.io Docker images in Cirrus CI YAML file

Replaces ghcr.io Docker images version in .cirrus.yaml, .cirrus.yml.

Example

  image: ghcr.io/cirruslabs/cirrus-cli:v0.106.0

or

  image: ghcr.io/cirruslabs/cirrus-cli@sha256:d3fab24e08d1fd7f85826dc1513186bb5423710fdd497e6d9b85debd08d88b42 # v0.106.0

GitHub Runners ECR Images in YAML files

Replaces Amazon ECR Docker image versions in the GitHub runners configuration file located in infra/applications/github-runners/values/config.yaml.

Example

RunnerImage: "275878209202.dkr.ecr.eu-central-1.amazonaws.com/base:20241201123456"

• depName: The ECR repository URL (e.g., 275878209202.dkr.ecr.eu-central-1.amazonaws.com/base)
• currentValue: The current image tag in timestamp format (e.g., 20241201123456)
• The manager automatically detects and updates the ECR image tags to their latest available versions

languages-team

  "extends": ["github>SonarSource/renovate-config:languages-team"]

Enables the custom manager for replacing version strings in snapshot-generation.sh.

Example

# renovate: datasource=github-releases depName=SonarSource/sonar-kotlin
export KOTLIN_VERSION=2.15.0.2579

• datasource: The renovate datasource. Should be github-releases.
• depName: GitHub owner/repo name to check for new releases.
• after the export directive use a descriptive variable name for storing the release version. The version number in the format of MAJOR.MINOR.PATCH.BUILD and is managed by Renovate.

Development

Prerequisites

• NodeJS
• Renovate CLI

Local Testing

Make changes in your local .github/renovate.json file. You might want to reference a shareable config from a branch:

    "extends": ["github>SonarSource/renovate-config:dev-infra-squad#feat/BUILD-1234"]

then run Renovate locally:

GITHUB_COM_TOKEN=$(gh auth token) LOG_LEVEL=debug npx -- renovate --platform=local --secrets '{"REPOX_TOKEN": "${REPOX_TOKEN}"}'