[MINOR] §6: Dependabot does not cover pixi.toml Python toolchain

[mvillmow]

Finding

Severity: MINOR
Section: 6
Evidence: .github/dependabot.yml
Principle: YAGNI

Dependabot is configured only for Docker images in /exporter. The Python toolchain dependencies in pixi.toml (bandit, ruff, pytest, yamllint, python) have no automated update mechanism. This means security patches to these tools require manual updates.

---

Part of #100

[mvillmow]

Implementation Plan

Here is the implementation plan for Issue #119:

---

Implementation Plan: Issue #119 — Renovate for pixi.toml Dependencies

1. Objective

Add automated dependency update coverage for the Python/conda-forge toolchain dependencies in pixi.toml (bandit, ruff, pytest, yamllint, python, jq, just). Dependabot has no pixi/conda support; Renovate's native pixi manager is the correct tool.

---

2. Approach

• Add a renovate.json at the repo root enabling the pixi manager with a monthly schedule and grouping all pixi deps into one PR.
• Optionally add a pip-audit task to pixi.toml under a [feature.lint.tasks] section for proactive CVE scanning (aligned with the existing security-dependency-scan job in _required.yml).
• No changes to .github/dependabot.yml — it covers Docker in /exporter and that coverage is correct and separate.
• The Renovate GitHub App must be installed at the org/repo level (out-of-band action, noted in verification).

---

3. Files to Create

File	Description
renovate.json	Renovate config at repo root: enables pixi manager, monthly schedule, dep grouping, base branch main

---

4. Files to Modify

File	Change
pixi.toml	Add [feature.lint.tasks] section with a pip-audit task for proactive vulnerability scanning

---

5. Implementation Steps

1. Create renovate.json at repo root with:

   • "$schema" pointing to the Renovate schema
   • extends: ["config:base"]
   • packageRules entry matching matchManagers: ["pixi"] with:
     • groupName: "pixi build tools"
     • schedule: ["before 5am on the first day of the month"]
   • baseBranches: ["main"]
   • labels: ["dependencies"]
   • commitMessagePrefix: "chore(deps):"
   • Pin ignorePaths to exclude any nested git repos if applicable (none here, but defensive)

2. Modify pixi.toml to add pip-audit task:

   • Add [feature.lint] feature block with pip-audit as a dependency
   • Add [feature.lint.tasks] with pip-audit = "pip-audit --min-severity high" task

3. Document (in PR description only — no inline comments) that the Renovate GitHub App must be installed at github.com/apps/renovate for PRs to be opened automatically.

---

6. Verification

Check	How
Renovate config validity	Run npx --yes renovate-config-validator renovate.json locally
pixi.toml parses correctly	Run pixi install locally after adding the feature block
pip-audit task runs	Run pixi run pip-audit (requires pip-audit installed in the feature env)
Schema validation CI	The existing schema-validation job in _required.yml validates workflow YAMLs; renovate.json is validated by Renovate's own app on first PR
Dry-run Renovate	After app install: renovate --dry-run=lookup <org>/<repo> to confirm pixi deps are discovered

---

7. Skills Used

Invoked during planning:

• hephaestus:advise (via Prior Learnings context) — surfaced renovate-multi-ecosystem-cpp-repos and pixi-pip-audit-severity-filter team knowledge

Team knowledge base skills referenced (from Prior Learnings):

• renovate-multi-ecosystem-cpp-repos — confirmed Renovate native pixi manager is the correct approach; provided the monthly schedule string, grouping pattern, and ignorePaths guidance
• pixi-pip-audit-severity-filter — provided the pip-audit --min-severity high task pattern and the [feature.lint.tasks] placement in pixi.toml

---

Generated by Claude Code Planner

[mvillmow]

Created 3 follow-up issue(s): #298, #299, #300