chore: add shared renovate config with version bumping #621
Conversation
- Extends shared Unstructured renovate config for security-only dependency updates - Includes version bumping script for automatic version and CHANGELOG updates 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Syncs script with latest version from renovate-config that includes: - shfmt formatting (2-space indents) - pyproject.toml versioning support 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- PEP 508 compliant package name regex (supports dots) - Detection for requirements/*.in files - Detection for pyproject.toml dependencies - Better logging of detected packages 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
scripts/renovate-security-bump.sh
Outdated
| echo "Could not auto-detect packages, using generic entry" | ||
| fi | ||
|
|
||
| CHANGELOG_ENTRY="- **Security update**: Bumped dependencies to address security vulnerabilities" |
There was a problem hiding this comment.
Changelog entry prefix mismatches existing bullet style
The CHANGELOG_ENTRY variable uses a dash prefix (- **Security update**:...) but the existing CHANGELOG.md entries consistently use asterisks (* **fix: ...**). This creates formatting inconsistency between automated security updates and existing manual entries.
- Use portable sed for pyproject version extraction (avoid \x27) - Discard trailing content in pyproject version extraction - Include detected packages in changelog entries - Prevent substring match of CHANGELOG dev version header 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Script now detects CHANGELOG format (brackets, subsections) and adapts output accordingly. Fixes format mismatch with bracketed headers. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
| if [ "$CHANGELOG_USE_BRACKETS" = true ]; then | ||
| DEV_VERSION_HEADER=$(grep -m 1 -E "^## \[${ESCAPED_VERSION}\]" "$CHANGELOG_FILE" || true) | ||
| else | ||
| DEV_VERSION_HEADER=$(grep -m 1 -E "^## ${ESCAPED_VERSION}(\s*$)" "$CHANGELOG_FILE" || true) |
There was a problem hiding this comment.
Non-portable regex \s may fail on BSD/macOS
The grep -E pattern uses \s for whitespace matching, but \s is a Perl-compatible regex extension not part of POSIX extended regex. On BSD/macOS grep, this pattern won't match whitespace as intended. When the dev version header fails to match, the script silently falls through (due to || true) and calls create_new_changelog_entry(), resulting in duplicate changelog entries instead of renaming the existing header. The portable alternative is [[:space:]]. This only affects non-bracketed changelog formats since bracketed format (line 251) doesn't use \s.
Summary
Test plan
🤖 Generated with Claude Code
Note
Introduces automated versioning and changelog updates tied to security dependency updates.
renovate.json5extendinggithub>unstructured-io/renovate-configwith PyPI vulnerability rules andpostUpgradeTasksscripts/renovate-security-bump.shdetects version source (__version__.pyorpyproject.toml), strips-devor bumps patch, and updates versiongit diff(requirements,uv.lock,pyproject.toml) to list changed packages and updatesCHANGELOG.md(renames dev header or prepends new entry, with optional### Fixes)Written by Cursor Bugbot for commit 81ccdf5. This will update automatically on new commits. Configure here.