chore: set up Renovate for dependency updates [MEC-3447]#2720
Open
contentful-renovate-rollout[bot] wants to merge 1 commit into
Open
chore: set up Renovate for dependency updates [MEC-3447]#2720contentful-renovate-rollout[bot] wants to merge 1 commit into
contentful-renovate-rollout[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sets up Renovate as the dependency-update tool for this repository, part of an org-wide rollout.
Depending on this repo's starting state, this PR does some of the following:
renovate.jsonextending the Contentful shared presetpackageRuleswhere still needed, and removes Dependabot-only automation and secret policiesManual follow-up (not handled by this PR):
Migration Confidence: 🟡 Medium
Summary
Migrated from Dependabot to Renovate: added a repo-root renovate.json extending local>contentful/renovate-config (correct preset for this non-Nx repo), deleted .github/dependabot.yml and the dependabot-approve-and-request-merge.yaml workflow, and removed the now-unused 'dependabot' vault secret policy without inventing a Renovate replacement. Beyond the mechanical removal/replacement, I added packageRules in renovate.json to group minor/patch updates by dependencies vs devDependencies, mirroring the production-dependencies/dev-dependencies grouping that existed in the old dependabot.yml — but I did not carry over dependabot's other behaviors (the husky/fast-copy/eslint-plugin-promise version ignores and the 15-day cooldown), since those aren't standard Renovate packageRules concepts and weren't explicitly requested. This partial-replication choice (keep grouping, drop ignores/cooldown) is a judgment call a different engineer might have made differently — either fully replicating old behavior or relying solely on the shared preset with no extra packageRules.
Files requiring attention
The following files had edge cases or required judgment during migration and should be reviewed carefully:
renovate.json