-
-
Notifications
You must be signed in to change notification settings - Fork 8
Expand file tree
/
Copy pathrenovate.json5
More file actions
78 lines (73 loc) · 2.95 KB
/
renovate.json5
File metadata and controls
78 lines (73 loc) · 2.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
extends: ["config:recommended", "abandonments:recommended"],
// PR and issue settings.
labels: ["📦 dependencies"],
dependencyDashboardLabels: ["📦 dependencies"],
// Schedule settings.
timezone: "UTC",
schedule: ["at any time"],
// Commit message format: "Update `click` to `<8.4`".
semanticCommits: "disabled",
commitMessageTopic: "`{{{depName}}}`",
commitMessageExtra: "to `{{{newValue}}}`",
// Stabilization periods. Must be > 7 days to match pyproject.toml's exclude-newer.
minimumReleaseAge: "8 days",
packageRules: [
{
description: "Major updates have a longer stabilization period.",
matchUpdateTypes: ["major"],
minimumReleaseAge: "29 days",
},
{
description: "Minor updates have a moderate stabilization period.",
matchUpdateTypes: ["minor"],
minimumReleaseAge: "11 days",
},
{
// Must be > 7 days to match pyproject.toml's exclude-newer buffer.
description: "Patch updates have a shorter stabilization period.",
matchUpdateTypes: ["patch"],
minimumReleaseAge: "8 days",
},
{
description: "Backtick-wrap GitHub Actions names in commit messages.",
matchManagers: ["github-actions"],
commitMessageTopic: "`{{{depName}}}` action",
},
{
description: "Flag dependencies with no recent releases.",
matchCurrentAge: "> 1 year",
addLabels: ["⚠️ stale dependency"],
},
{
description: "Update SHA-256 checksums after binary version bumps.",
matchFileNames: [".github/workflows/**"],
postUpgradeTasks: {
commands: [
"bash -c 'curl -fsSL https://github.com/astral-sh/uv/releases/download/0.10.4/uv-x86_64-unknown-linux-gnu.tar.gz --output /tmp/uv.tar.gz && echo 6b52a47358deea1c5e173278bf46b2b489747a59ae31f2a4362ed5c6c1c269f7 /tmp/uv.tar.gz | sha256sum --check && tar xzf /tmp/uv.tar.gz --strip-components=1 -C /tmp && /tmp/uvx --no-progress repomatic==6.0.1 update-checksums {{{packageFile}}}'",
],
fileFilters: [".github/workflows/**"],
executionMode: "update",
},
},
{
description: "Update uv SHA-256 checksum after version bump in Renovate config.",
matchDepNames: ["astral-sh/uv"],
matchFileNames: ["renovate.json5"],
postUpgradeTasks: {
commands: [
"bash -c 'curl -fsSL https://github.com/astral-sh/uv/releases/download/{{{newVersion}}}/uv-x86_64-unknown-linux-gnu.tar.gz --output /tmp/uv.tar.gz && sed -i \"/sha256sum/s/[a-f0-9]\\{64\\}/$(sha256sum /tmp/uv.tar.gz | cut -c1-64)/\" {{{packageFile}}}'",
],
fileFilters: ["renovate.json5"],
executionMode: "update",
},
},
],
// Security updates: raise PRs immediately when vulnerabilities are detected.
// Requires "Dependabot alerts" read permission on the token.
vulnerabilityAlerts: {
enabled: true,
labels: ["📦 dependencies", "💣 security"],
}
}