Skip to content

ci: switch dependency updates from Dependabot to Renovate#809

Merged
emilyoram merged 1 commit into
mainfrom
ci/switch-to-renovate
Jul 1, 2026
Merged

ci: switch dependency updates from Dependabot to Renovate#809
emilyoram merged 1 commit into
mainfrom
ci/switch-to-renovate

Conversation

@emilyoram

Copy link
Copy Markdown
Contributor

What

Switches dependency updates from Dependabot to Mend Renovate, mirroring the existing dependabot.yml rules and adding what Dependabot could not do with the default GITHUB_TOKEN:

  • Auto-merge minor updates once CI is green (automerge: true on matchUpdateTypes: ["minor"]) — native, no branch protection or custom workflow needed.
  • Rebase whenever a PR falls behind the base branch (rebaseWhen: behind-base-branch) — rebases come from the Renovate App's own identity, so CI re-runs (a GITHUB_TOKEN branch update would not re-trigger workflows, and @dependabot rebase is rejected from the Actions bot).

Rule translation

  • Base branches and maintenance-branch restrictions carried over from dependabot.yml (patch-only on stable maintenance branches where that was configured; package pins preserved).
  • :semanticCommitTypeAll(chore) pins all Renovate commits/PR titles to chore(deps): …. This matters: Renovate's default uses fix(deps) for prod dependencies, which would trigger semantic-release patch releases.
  • vulnerabilityAlerts disabled in Renovate (same as camunda-7-to-8-migration-tooling) — GitHub's Dependabot security updates remain the CVE path; only Dependabot version PRs stop.
  • Where present, the custom dependabot-auto-merge.yml workflow is removed — Renovate's native automerge replaces it.

Prerequisites / rollout

  1. Renovate app must be granted access to this repo (infra is handling installation). Until then this config is inert.
  2. On first run Renovate opens a Dependency Dashboard issue; review it to confirm the detected updates look right.
  3. Existing open Dependabot PRs should be closed once Renovate's equivalents appear (happy to sweep these).

Flagged for reviewers

  • Automerge is minor-only per the agreed rule; adding patch is a one-word change (["minor", "patch"]).
  • Dependabot ran weekly; Renovate (org-default) runs unscheduled. Add a schedule block if the cadence matters.

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings July 1, 2026 21:32

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Switches this repository’s automated dependency update mechanism from GitHub Dependabot (version updates) to Mend Renovate, aligning update grouping and branch targeting rules while enabling Renovate-native automerge/rebase behavior.

Changes:

  • Add Renovate configuration under .github/renovate.json (grouping npm + GitHub Actions updates, minor-only automerge, rebase-when-behind behavior).
  • Remove the existing .github/dependabot.yml to stop Dependabot version-update PRs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/renovate.json Introduces Renovate rules for base branches, grouping, minor-only automerge, and rebase behavior.
.github/dependabot.yml Removes Dependabot version update configuration as part of the migration to Renovate.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/renovate.json
Replace dependabot.yml with a Renovate config that mirrors the existing
rules (base branches, maintenance-branch restrictions, groupings) and
adds what Dependabot could not do natively: auto-merge of minor updates
once CI is green, and rebasing PRs whenever they fall behind the base
branch. Commit type is pinned to chore(deps) so dependency bumps never
trigger a semantic-release. Renovate runs as a GitHub App with its own
push identity, so rebases re-trigger CI and merges fire downstream
workflows (both impossible with the GITHUB_TOKEN-based workflow).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@emilyoram emilyoram force-pushed the ci/switch-to-renovate branch from 25eae5e to 2346ecf Compare July 1, 2026 23:14
@emilyoram emilyoram merged commit f71131c into main Jul 1, 2026
14 checks passed
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Released in v8.9.0-alpha.9 (npm: @camunda8/sdk@8.9.0-alpha.9).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants