Skip to content

Review agent should analyze dependency manager config rule interactions #2989

Description

@fullsend-ai-retro

What happened

On PR #2693 (#2693), author rh-hemartin added a Renovate packageRules entry to group two OpenShell dependencies (base image digest and CLI version pin) under a single groupName. The fullsend review agent approved within 8 minutes with no findings — its output was 'Looks good to me' with no substantive analysis. Meanwhile, Qodo's code review bot identified a medium-severity concern: the new grouping rule inherits the repo's global automerge-for-patch/pin setting, so a grouped PR containing a base image digest change could automerge when it previously would not have (since the digest update alone may not have matched automerge criteria). Human reviewer maruiz93 approved on 2026-07-03 with an informational clarification about groupName behavior but did not address the automerge interaction. The PR merged the same day.

What could go better

The fullsend review agent treated this as a trivial config addition and did not analyze how the new rule interacts with existing rules in renovate.json. Dependency manager config files have compositional semantics — rules interact through inheritance, ordering, and scoping. A new grouping rule changes which global settings apply to which packages. The Qodo bot demonstrated that this class of interaction analysis is feasible. Confidence is medium: the human reviewer also did not flag this concern, which could mean (a) the risk is acceptable, (b) the human didn't read Qodo's comment, or (c) the human judged it low priority. If (a), teaching the agent to flag this would add noise. If (b) or (c), the agent surfacing it would provide valuable signal. Related existing issues: #2384 (validate external tool config against execution model) covers a similar theme but targets tool execution semantics rather than intra-file rule interactions; #2593 (consult AGENTS.md before suggesting dependency-management scope expansion) is about scope, not rule interactions.

Proposed change

Add review guidance for dependency manager config files (renovate.json, dependabot.yml, etc.) to the review agent. This could take the form of a review sub-agent skill or prompt instructions in the review agent definition. When a PR modifies these files, the review agent should: (1) read the full config file and identify existing rules that could interact with the changed rules — particularly automerge, schedule, ignoreUnstable, and grouping settings; (2) surface any interactions where the combined effect differs from what a reader might expect from the change alone; (3) note when a new grouping rule causes packages to inherit global settings (like automerge) that may not be appropriate for all members of the group. The guidance should be calibrated to avoid false positives — only flag interactions where the combined behavior materially differs from the isolated change.

Validation criteria

On the next 5 PRs that modify renovate.json or dependabot.yml with rule additions or modifications, check whether the review agent's output includes analysis of how new or changed rules interact with existing rules in the same file. Success criteria: (1) the agent surfaces at least one meaningful interaction per PR where interactions exist, (2) the agent does not generate false-positive interaction warnings on PRs where rules are independent, and (3) the signal-to-noise ratio is acceptable (fewer than 50% of flagged interactions are dismissed by human reviewers as not actionable). Timeframe: next 3 months or 5 qualifying PRs, whichever comes first.


Generated by retro agent from #2693

Metadata

Metadata

Assignees

No one assigned

    Labels

    agent/reviewReview agentcomponent/skillsfeatureFeature-category issue awaiting human prioritizationready-for-triageRetro-filed issue awaiting triage agenttriagedTriaged but awaiting human prioritizationtype/featureNew capability request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions