Skip to content

Configure Renovate#92

Merged
bcaudan merged 2 commits into
mainfrom
renovate/configure
May 4, 2026
Merged

Configure Renovate#92
bcaudan merged 2 commits into
mainfrom
renovate/configure

Conversation

@renovate

@renovate renovate Bot commented Apr 10, 2026

Copy link
Copy Markdown
Contributor

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

📚 See our Reading List for relevant documentation you may be interested in reading.

🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to renovate.json in this branch. Renovate will update the Pull Request description the next time it runs.


Detected Package Files

  • minidump-processor/Cargo.toml (cargo)
  • Dockerfile (dockerfile)
  • .github/workflows/publish.yml (github-actions)
  • .gitlab-ci.yml (gitlabci)
  • e2e/app/package.json (npm)
  • e2e/integration/apps/electron-builder-vite/package.json (npm)
  • e2e/integration/apps/electron-vite/package.json (npm)
  • e2e/integration/apps/forge-vite/package.json (npm)
  • e2e/integration/apps/forge-webpack/package.json (npm)
  • minidump-processor/package.json (npm)
  • package.json (npm)
  • playground/package.json (npm)

Configuration Summary

Based on the default config's presets, Renovate will:

  • Start dependency updates only once this onboarding PR is merged
  • Hopefully safe environment variables to allow users to configure.
  • Show all Merge Confidence badges for pull requests.
  • Enable Renovate Dependency Dashboard creation.
  • Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
  • Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
  • Group known monorepo packages together.
  • Use curated list of recommended non-monorepo package groupings.
  • Show only the Age and Confidence Merge Confidence badges for pull requests.
  • Apply crowd-sourced package replacement rules.
  • Apply crowd-sourced workarounds for known problems with packages.
  • Ensure that every dependency pinned by digest and sourced from Forgejo contains a link to the commit-to-commit diff
  • Ensure that every dependency pinned by digest and sourced from Gitea contains a link to the commit-to-commit diff
  • Ensure that every dependency pinned by digest and sourced from GitHub.com and Github enterprise contains a link to the commit-to-commit diff
  • Correctly link to the source code for golang.org/x packages
  • Link to pkg.go.dev/... for golang.org/x packages' title
  • Run Renovate on following schedule: every weekend

What to Expect

With your current configuration, Renovate will create 8 Pull Requests:

👷 Update dependency vite to v8.0.5 [SECURITY]
  • Branch name: renovate/npm-vite-vulnerability
  • Merge into: main
  • Upgrade vite to 8.0.5
👷 Update dependency electron to v41.1.0 [SECURITY]
  • Branch name: renovate/npm-electron-vulnerability
  • Merge into: main
  • Upgrade electron to 41.1.0
👷 Update all non-major dependencies (minor/patch)
👷 Update actions/checkout action to v6
  • Schedule: ["every weekend"]
  • Branch name: renovate/actions-checkout-6.x
  • Merge into: main
  • Upgrade actions/checkout to de0fac2e4500dabe0009e67214ff5f5447ce83dd
👷 Update actions/setup-node action to v6
  • Schedule: ["every weekend"]
  • Branch name: renovate/actions-setup-node-6.x
  • Merge into: main
  • Upgrade actions/setup-node to 53b83947a5a98c8d113130e565377fae1a50d02f
👷 Update dependency eslint-plugin-unicorn to v64
  • Schedule: ["every weekend"]
  • Branch name: renovate/eslint-plugin-unicorn-64.x
  • Merge into: main
  • Upgrade eslint-plugin-unicorn to 64.0.0
👷 Update dependency typescript to v6
  • Schedule: ["every weekend"]
  • Branch name: renovate/typescript-6.x
  • Merge into: main
  • Upgrade typescript to 6.0.2
👷 Lock file maintenance
  • Schedule: ["before 4am on monday"]
  • Branch name: renovate/lock-file-maintenance
  • Merge into: main
  • Regenerate lock files to use latest dependency versions

🚸 PR creation will be limited to maximum 1 per hour, so it doesn't swamp any CI resources or overwhelm the project. See docs for prHourlyLimit for details.


Warning

Please correct - or verify that you can safely ignore - these dependency lookup failures before you merge this PR.

  • Failed to look up docker package registry.ddbuild.io/images/docker: no-result
  • Failed to look up docker package registry.ddbuild.io/slack-notifier: no-result

Files affected: .gitlab-ci.yml


❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.


This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner April 10, 2026 15:12
@bcaudan bcaudan force-pushed the renovate/configure branch 2 times, most recently from 98bbcf7 to ba040bc Compare April 13, 2026 08:44
@bcaudan bcaudan force-pushed the renovate/configure branch from ba040bc to 575ebfa Compare April 13, 2026 08:47
@bcaudan

bcaudan commented Apr 13, 2026

Copy link
Copy Markdown
Collaborator

Customised the default Renovate config before merging:

Grouping

  • All minor/patch updates (npm + GitHub Actions) are grouped into a single "all non-major dependencies" PR
  • Major updates get individual PRs per package/monorepo (default Renovate behaviour)
  • Cargo (Rust) updates are disabled for now — semver deps will be re-enabled once crash file test coverage is sufficient

Noise reduction

  • schedule: every weekend — updates batched once a week
  • minimumReleaseAge: 7 days — skips packages published less than 7 days ago
  • prCreation: not-pending + internalChecksFilter: strict — waits for upstream CI before opening PRs
  • prConcurrentLimit: 5 + prHourlyLimit: 1 — rate limiting

Safety

  • Internal Datadog registry (registry.ddbuild.io) ignored — unreachable by Renovate
  • Git-pinned rust-minidump packages added to ignoreDeps until rust-minidump#1139 is resolved
  • GitHub Actions SHA pinning enforced (via config:recommended)

Replaces Dependabotdependabot.yml removed to avoid duplicate update PRs.

@bcaudan bcaudan merged commit d72c861 into main May 4, 2026
14 checks passed
@bcaudan bcaudan deleted the renovate/configure branch May 4, 2026 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants