- Breaking: Remove the Renovate integration: the
renovate.yamlworkflow, the bundledrenovate.json5, thecheck-renovatecommand, and the Dependabot-to-Renovate migration are gone, replaced by self-hosted dependency updates (below). Downstream repos prune the orphaned files on their nextrepomatic init. - Breaking:
repomatic update-checksumsis now registry-only: the workflow-file argument and the--registryflag are removed, so it only refreshes the binary tool checksums. - Add
sync-deps, the single entry point for dependency updates: runs every enabled updater or a named subset in parallel and applies them in order, with a--dry-runpreview. - Add
sync-tool-versions: bumps eachrepomatic runtool to its latest release past the cooldown and refreshes the binary tool checksums in the same pass. - Add
sync-action-pins: bumps SHA-pinned GitHub Actions to their latest release past the cooldown, resolving each release tag to its commit SHA. - Add
sync-workflow-pins: bumps the npm and PyPI version literals embedded in workflow YAML past the cooldown. - Add
[tool.repomatic] minimum-release-age(default8 days), the shared stabilization cooldown for the sync updaters, plus per-updatertool-versions.sync,action-pins.sync, andworkflow-pins.synctoggles. repomatic runnow runs npm-backed tools, starting withawesome-lint, installed from the npm registry with per-tarball integrity and theminimum-release-agecooldown; thelint-awesomejob now callsrepomatic run awesome-lint.- Add a
[tool.repomatic] changelog.archive-locationoption pointing at an archive file for older release sections, solint-changelogtreats archived versions as documented instead of flagging them as orphans. - Dependency-updater PR bodies now share
sync-uv-lock's format: a cooldown cutoff date, aHeld back by cooldownsection, and aRelease notesdropdown between them. repomatic runnow applies theminimum-release-agecooldown to the transitive dependencies of itsuvx-installed tools; binary anduv runtools stay pinned as before.- The autofix workflow now runs the dependency updaters weekly on a schedule, so quiet repositories still pick up dependency, tool, and action-pin updates.
REPOMATIC_PATno longer requires theCommit statusespermission;lint-reponow warns when a token still grants it so it can be tightened.- Drop the
pydrillerdependency: Git history operations now invoke thegitCLI directly, shrinking the install and compiled-binary footprint. repomatic runnow animates a spinner while downloading a tool whose server omits aContent-Length, where it previously showed nothing.- The generated Python compatibility matrix in
install.mdnow covers pre-classifier releases, falling back torequires-python, Poetry, orsetup.pymetadata to infer supported versions. - Fix
update-deps-graphrendering only one of several extras or dependency groups that share a directly-declared dependency; each now gets its own subgraph. - Fix broken documentation links: the standalone-binary downloads (versionless 404s), the
pipxinstallation guide, and the GitHub matrix-strategy reference.
Full changelog: v6.31.0...v7.0.0
🛡️ VirusTotal scans
| Binary | Detections | Analysis |
|---|---|---|
repomatic-7.0.0-linux-arm64.bin |
1 / 61 | View scan |
repomatic-7.0.0-linux-x64.bin |
0 / 63 | View scan |
repomatic-7.0.0-macos-arm64.bin |
1 / 58 | View scan |
repomatic-7.0.0-macos-x64.bin |
1 / 61 | View scan |
repomatic-7.0.0-windows-arm64.exe |
2 / 67 | View scan |
repomatic-7.0.0-windows-x64.exe |
15 / 70 | View scan |