Update dependency configuration and documentation.

justinvdm · justinvdm · commit 3b1d76a5d4e6 · 2025-09-18T15:28:26.000+02:00
diff --git a/.notes/justin/worklogs/2025-0-17-dependency-greenkeeping-strategy.md b/.notes/justin/worklogs/2025-0-17-dependency-greenkeeping-strategy.md
@@ -32,3 +32,22 @@ The `renovate.json` configuration has been updated to address these findings:
 1.  The conflicting exclusion for `@cloudflare/workers-types` has been removed.
 2.  `separateMajorMinor: false` has been added to the root of the configuration to keep major updates within their defined groups.
 3.  A new "catch-all" rule has been added to the end of the `packageRules` array. This rule will group all previously unmatched dependencies into a single weekly "repository-maintenance" PR.
+
+### Step 13: Implementing Dashboard-Driven Fixes
+
+The initial run of the Renovate App with the corrected pointer syntax revealed several issues with our grouping rules. The Dependency Dashboard provided all the necessary information to diagnose and fix them.
+
+**Findings:**
+
+1.  **Incorrect Grouping**: A single, overly broad "catch-all" rule was grouping all dependencies into a single `repository-maintenance` PR, overriding all other specific rules.
+2.  **Deprecated Filename**: A warning indicated that when a configuration is used as a preset (as ours is via the pointer), it should be named `default.json`, not `renovate.json`.
+3.  **Missing "Infrastructure" Group**: Several dependencies related to repository infrastructure (e.g., GitHub Actions, Docker) were not explicitly grouped.
+
+**Actions:**
+
+1.  **Renamed Config File**: `renovate.json` has been renamed to `default.json` to align with Renovate's preset conventions and resolve the warning.
+2.  **Refined Grouping Rules**: The `default.json` file has been significantly updated. The overly broad catch-all rule was removed and replaced with several explicit rules to correctly group dependencies from the `sdk`, `starters`, `docs`, and root `package.json` files.
+3.  **Added Infrastructure Group**: A new `infrastructure-dependencies` group was created to handle updates for GitHub Actions, Dockerfiles, and the repository's Node.js version.
+4.  **Updated Documentation**: The `CONTRIBUTING.md` file has been updated with a section explaining how to use the Dependency Dashboard to monitor and manually trigger updates.
+
+With these changes, the configuration should now be correct and robust. The next run of Renovate should produce the correctly grouped PRs as originally intended.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -360,4 +360,25 @@ The release workflow and underlying script (`sdk/sdk/scripts/release.sh`) follow
     *  Smoke tests are then run for this same test project, validating that the installed tarball is working correctly
 5.  **Publish**: Only if all smoke tests and verification checks pass, the script publishes the `.tgz` tarball to npm. This guarantees the exact package that was tested is the one that gets published.
 6.  **Finalize Commit**: For non-prerelease versions, the script updates dependencies in the monorepo, amends the version commit with these changes, tags the commit, and pushes everything to the remote repository.
-7.  **Rollback**: If any step fails, the script reverts the version commit and cleans up all temporary files, leaving the repository in a clean state.
+7.  **Rollback**: If any step fails, the script reverts the version commit and cleans up all temporary files, leaving the repository in a clean state.
+
+*   **A Note on Mocking**: The term "dependency" is used in two ways. This document primarily concerns package management (e.g., `npm` packages). For guidance on writing testable code by avoiding mocks in favor of dependency injection, please see the "Dependency Injection over Mocking" section.
+
+### Using the Dependency Dashboard
+
+After a new dependency update is available, Renovate will create a Pull Request. For managing all available updates, Renovate also creates a special issue in the repository titled "Dependency Dashboard". You can find this in the "Issues" tab.
+
+This dashboard is the central place to manage the greenkeeping process. It provides:
+*   A list of all new dependency versions that have been discovered.
+*   The status of current open Pull Requests for dependency updates.
+*   A list of updates that are waiting for their scheduled time to run.
+
+#### Manually Triggering Updates
+
+Our configuration schedules most updates to run weekly to reduce noise. However, you can trigger any scheduled update immediately from the dashboard.
+
+To do this, find the update group you wish to run in the "Awaiting Schedule" section of the dashboard and click the checkbox next to it. Renovate will detect this change and create the corresponding Pull Request within a few minutes. This is particularly useful for forcing a one-time update of all dependencies to establish a new baseline or to test a specific update, such as the `starter-peer-dependencies` group.
+
+### Failure Protocol for Peer Dependencies
+
+If a peer dependency update in a starter project fails the CI smoke tests, it signifies a potential regression. The failure could be due to one of two causes:
diff --git a/default.json b/default.json
@@ -0,0 +1,70 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "separateMajorMinor": false,
+  "packageRules": [
+    {
+      "description": "Group Cloudflare dependencies together as they are often released in tandem.",
+      "matchPackageNames": ["/^@cloudflare\\//", "wrangler"],
+      "groupName": "cloudflare"
+    },
+    {
+      "description": "Group React-related packages together.",
+      "matchPackageNames": ["/^react/", "/^@types\\/react/"],
+      "groupName": "react"
+    },
+    {
+      "description": "Group infrastructure dependencies (Actions, Docker, Node.js, pnpm).",
+      "matchManagers": ["github-actions", "dockerfile", "nodenv"],
+      "groupName": "infrastructure-dependencies",
+      "schedule": ["on saturday"]
+    },
+    {
+      "description": "Group pnpm version from root package.json with other infra deps",
+      "matchFileNames": ["package.json"],
+      "matchPackageNames": ["pnpm"],
+      "groupName": "infrastructure-dependencies",
+      "schedule": ["on saturday"]
+    },
+    {
+      "description": "Group all SDK internal dependencies into a single weekly PR.",
+      "matchFileNames": ["sdk/package.json"],
+      "groupName": "sdk-internal-dependencies",
+      "schedule": ["on saturday"]
+    },
+    {
+      "description": "Group all starter application dependencies into a single weekly PR.",
+      "matchFileNames": ["starters/**/package.json"],
+      "excludePackageNames": ["@cloudflare/vite-plugin", "wrangler", "vite"],
+      "groupName": "starter-app-dependencies",
+      "schedule": ["on saturday"]
+    },
+    {
+      "description": "Update peer dependencies in starter projects as soon as they are available.",
+      "matchFileNames": ["starters/**/package.json"],
+      "matchPackageNames": ["@cloudflare/vite-plugin", "wrangler", "vite"],
+      "groupName": "starter-peer-dependencies",
+      "schedule": ["every weekend"],
+      "prPriority": 1
+    },
+    {
+      "description": "Group dependencies for the docs site.",
+      "matchFileNames": ["docs/package.json"],
+      "groupName": "docs-dependencies",
+      "schedule": ["on saturday"]
+    },
+    {
+      "description": "Group dependencies from the root package.json.",
+      "matchFileNames": ["package.json"],
+      "excludePackageNames": ["pnpm"],
+      "groupName": "root-dependencies",
+      "schedule": ["on saturday"]
+    }
+  ],
+  "prHeader": " chore(deps): {{{prTitle}}}",
+  "prBodyNotes": "This PR updates the following dependencies:\n\n{{{table}}}",
+  "automerge": false,
+  "major": { "automerge": false },
+  "minor": { "automerge": false },
+  "patch": { "automerge": false }
+}
