Problem
Dependabot requires explicit directories entries for each composite action path to discover uses: references outside .github/workflows/. This was the root cause of the version skew fixed in #32 — claude-invoke/action.yml was missed because Dependabot only scanned /.
Renovate auto-discovers all files containing GitHub Actions uses: references without per-directory configuration, making it more robust for repos with composite actions.
Suggested scope
- Install the Renovate GitHub App (or configure self-hosted)
- Create
renovate.json covering all 7 ecosystems currently in dependabot.yml: github-actions, npm, docker, terraform, devcontainers, gitsubmodule, gomod
- Preserve existing grouping, labelling, and commit-message conventions
- Remove
.github/dependabot.yml once Renovate is confirmed working
- Update AGENTS.md to document the new dependency management tool
Context
Problem
Dependabot requires explicit
directoriesentries for each composite action path to discoveruses:references outside.github/workflows/. This was the root cause of the version skew fixed in #32 —claude-invoke/action.ymlwas missed because Dependabot only scanned/.Renovate auto-discovers all files containing GitHub Actions
uses:references without per-directory configuration, making it more robust for repos with composite actions.Suggested scope
renovate.jsoncovering all 7 ecosystems currently independabot.yml: github-actions, npm, docker, terraform, devcontainers, gitsubmodule, gomod.github/dependabot.ymlonce Renovate is confirmed workingContext
.github/dependabot.ymldirectoriesentries as a stopgap for composite action scanning