chore: Configure Renovate

justfile

@@ -38,7 +38,7 @@ upgrade-all cooldown="7 days ago": && devenv
     uv lock --upgrade --exclude-newer "{{ cooldown }}"
 
 # update the uv mirror requirements file
-uvmirror file="requirements.uvmirror.txt":
+uvmirror file="requirements.uvmirror":
     rm -f {{ file }}
     uv export --format requirements-txt --frozen --no-hashes --all-groups --all-extras > {{ file }}
 
@@ -106,6 +106,9 @@ check-lockfile:
     rc=0
     uv lock --check
 
+check-renovate-config:
+    npx --yes --package renovate -- renovate-config-validator
+
 # Fix formatting, import sort ordering, and justfile
 fix:
     -uv run ruff check --fix .

renovate.json5

@@ -0,0 +1,119 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    // Start with the Renovate recommended config
+    // https://docs.renovatebot.com/presets-config/#configrecommended
+    "config:recommended",
+    // ensure all GHA are pinned to digests
+    // https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests
+    "helpers:pinGitHubActionDigests",
+    // report on abandoned pacakges
+    // https://docs.renovatebot.com/presets-abandonments/
+    "abandonments:recommended",
+    // We don't want automated docker/docker-compose/Dockerfile updates
+    "docker:disable",
+    // Add the nice badges to PRs
+    // https://docs.renovatebot.com/presets-mergeConfidence/#mergeconfidenceall-badges
+    "mergeConfidence:all-badges"
+  ],
+  // Label all Reonvate PRs with "dependencies"
+  "labels": ["dependencies"],
+  //
+  // NOTE: lockFileMaintenance is currently disabled as it doesn't respect the
+  // minimumReleaseAge for uv. An open PR for adding it has been put on hold for now.
+  // https://github.com/renovatebot/renovate/pull/41913#issuecomment-4231423178
+  // Instead, for now we use the update-dependencies-action to update the
+  // uv lockfile
+  "lockFileMaintenance": { "enabled": false},
+  // update transitive deps by updating the entire lockfile
+  // We run this on the same schedule; add a note for the reviewer to do the
+  // default dependencies first to reduce the amount needed for review in the
+  // full lockfile update
+  // "lockFileMaintenance": {
+  //     "enabled": true,
+  //     "minimumReleaseAge": "7 days",
+  //     "schedule": [
+  //       "* 0-3 * * WED"
+  //     ],
+  //     "prBodyNotes": [":information_source: Before reviewing this PR, merge any prod/dev dependency PRs and rebase."]
+  // },
+  //
+  // Note package rules apply only to direct dependencies
+  // group dependencies by dev/prod, cooldown 7 days, run early Wed mornings
+  // rangeStrategy: widen expands the range when a new version is found and updates the lockfile (with respect to the cooldown).
+  // Assumes that the repo has upper limits (<=) set on pyproject.toml dependencies
+  // Note that we can't (as of 2026-03-20 at least) use the "bump" strategy to always bump versions. This expands
+  // the pyproject.toml range with respect to the cooldown, but DOESN'T respect the cooldown when it updates the
+  // lockfile, which results in a conflict with MinimumReleaseAge.
+  "packageRules": [
+    // don't auto-update python-version or node-version, we want to manage these updates ourselves
+    {
+      "matchManagers": ["pyenv", "nodenv"],
+      "enabled": false
+    },
+    // don't auto-update requires-python in pyproject.toml
+    {
+      matchDepTypes: ["requires-python"],
+      enabled: false,
+    },
+    // We handle github runners (ubuntu versions etc) manually
+    {
+      "matchDatasources": ["github-runners"],
+      "enabled": false
+    },
+    // pep621 covers pyproject.toml and uv.lock files
+    // https://docs.renovatebot.com/modules/manager/pep621/
+    {
+      "matchManagers": ["pep621"],
+      "matchDepTypes": ["dependency-groups", "tool.uv.dev-dependencies"],
+      "addLabels": ["python"],
+      "groupName": "python dev dependencies",
+      "rangeStrategy": "widen",
+      "minimumReleaseAge": "7 days",
+      "schedule": [
+        "* 0-3 * * WED"
+      ],
+    },
+    {
+      "matchManagers": ["pep621"],
+      "matchDepTypes": ["project.dependencies", "project.optional-dependencies", "tool.uv.sources"],
+      "addLabels": ["python"],
+      "groupName": "python prod dependencies",
+      "rangeStrategy": "widen",
+      "minimumReleaseAge": "7 days",
+      "schedule": [
+        "* 0-3 * * WED"
+      ],
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "groupName": "GitHub Actions",
+      "addLabels": ["actions"],
+      "minimumReleaseAge": "7 days",
+      "schedule": [
+        "* 0-3 * * WED"
+      ]
+    },
+    // disable minimumReleaseAge for pinDigest to avoid the stability-days check showing as pending
+    // when Renovate opens a PR for pinning GHA dependencies to digests
+    {
+      "description": "Disable minimumReleaseAge for pinDigest update types",
+      "matchUpdateTypes": ["pinDigest"],
+      "minimumReleaseAge": null,
+    },
+    // EXAMPLE: If required, pin a specific dependency to an upper allowed version
+    // Otherwise renovate will use the general "widen" strategy to change the upper limit in pyproject.toml
+    // and will bump it anyway
+    // {
+    //   "matchManagers": ["pep621"],
+    //   "matchDepNames": ["Django"],
+    //   "allowedVersions": "<6.0"
+    // },
+  ],
+  // Include vulnerability alerts; this uses dependabot and requires that depenency graph and
+  // dependabot alerts are enabled in the repo
+  // https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts
+  "vulnerabilityAlerts": {
+    "addLabels": ["security"]
+  }
+}