Skip to content

chore: migrate github-actions updates from dependabot to renovate#10

Open
glokos wants to merge 2 commits into
mainfrom
renovate/migrate-from-dependabot
Open

chore: migrate github-actions updates from dependabot to renovate#10
glokos wants to merge 2 commits into
mainfrom
renovate/migrate-from-dependabot

Conversation

@glokos

@glokos glokos commented Jul 3, 2026

Copy link
Copy Markdown

Add a github-actions-only Renovate config

What this is

Renovate is a bot that opens PRs to update your
dependencies. This config scopes it to GitHub Actions only — it watches the
uses: lines in .github/workflows/* and opens a PR when an action has a newer
version.

Once merged (and the Renovate app runs), you'll get PRs like
"deps(actions/checkout): update to v5" — SHA-pinned, weekly, batched.

Why Renovate over Dependabot

Both work; we picked Renovate for what this specific config needs:

  • SHA-pinning + keep the version comment — Renovate rewrites
    uses: actions/checkout@v4 to uses: actions/checkout@<sha> # v4.2.2. Pinning
    to a SHA is the
    GitHub-recommended
    supply-chain hardening; Dependabot can't pin and keep the readable version
    comment.
  • minimumReleaseAge: 14 days — skips releases younger than two weeks, so a
    compromised/yanked action version never lands automatically. Dependabot has no
    equivalent cooldown.
  • One config, one bot org-wide — the rest of CoW's repos already standardize
    on Renovate (the infrastructure repo drives ansible image bumps through it),
    so this keeps a single tool and PR style everywhere instead of splitting
    Actions onto Dependabot.

Dependabot is the right call if you want zero setup and GitHub-native — it just
can't do the SHA-pin-with-comment or the release-age delay we want here.

How to test it works

You don't need to wait for the weekly schedule:

  1. Merge the PR. Config does nothing until it's on the default branch.
  2. Confirm the app is installed — an admin checks
    github.com/organizations/cowprotocol/settings/installations
    → Renovate → this repo is in its scope. (This is the one real prerequisite —
    a committed config is inert without the app.)
  3. Force a run — on the Renovate app dashboard, or push a temporary workflow
    line that uses an outdated action (e.g. actions/checkout@v3).
  4. Look for the Dependency Dashboard issue Renovate opens on first run
    (titled "Dependency Dashboard"), plus any "deps(...)" PRs. Seeing them =
    working. The dashboard lists everything it detected and will update.

Quick local check of just the config syntax (doesn't test behavior):

npx --yes --package renovate renovate-config-validator .github/renovate.json5

@glokos glokos requested a review from a team July 3, 2026 13:59

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request replaces the Dependabot configuration with a new Renovate configuration (.github/renovate.json5) targeting GitHub Actions. However, this change completely disables automated updates for npm and uv dependencies in the /dev directory. It is recommended to either migrate these ecosystems to Renovate or retain Dependabot to manage them.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread .github/renovate.json5 Outdated
@glokos glokos enabled auto-merge (squash) July 3, 2026 14:14
Comment thread .github/renovate.json5 Outdated
// easier to maintain.
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
// Disable every built-in manager (npm, dockerfile, ...) except github-actions.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we disable every built-in manager? Does this turn off automatic updates for npm and uv packages?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's because the requirement is for github actions only to avoid spamming 10s of PRs for project-specific dependencies. Teams should feel free to enable the package manager required as fits with their workflows

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we use groups, like we did for Dependabot?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We sure can. My point is that this fine-tuning should be done by owners of the repo (feel free to add to this PR btw). Since I lack context into what each repo's requirements are (apart from GitHub Actions)

@glokos glokos requested a review from igorroncevic July 6, 2026 07:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants