chore: migrate github-actions updates from dependabot to renovate#10
chore: migrate github-actions updates from dependabot to renovate#10glokos wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Code Review
This pull request replaces the Dependabot configuration with a new Renovate configuration (.github/renovate.json5) targeting GitHub Actions. However, this change completely disables automated updates for npm and uv dependencies in the /dev directory. It is recommended to either migrate these ecosystems to Renovate or retain Dependabot to manage them.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| // easier to maintain. | ||
| { | ||
| $schema: "https://docs.renovatebot.com/renovate-schema.json", | ||
| // Disable every built-in manager (npm, dockerfile, ...) except github-actions. |
There was a problem hiding this comment.
Why do we disable every built-in manager? Does this turn off automatic updates for npm and uv packages?
There was a problem hiding this comment.
It's because the requirement is for github actions only to avoid spamming 10s of PRs for project-specific dependencies. Teams should feel free to enable the package manager required as fits with their workflows
There was a problem hiding this comment.
Can't we use groups, like we did for Dependabot?
There was a problem hiding this comment.
We sure can. My point is that this fine-tuning should be done by owners of the repo (feel free to add to this PR btw). Since I lack context into what each repo's requirements are (apart from GitHub Actions)
Add a github-actions-only Renovate config
What this is
Renovate is a bot that opens PRs to update your
dependencies. This config scopes it to GitHub Actions only — it watches the
uses:lines in.github/workflows/*and opens a PR when an action has a newerversion.
Once merged (and the Renovate app runs), you'll get PRs like
"deps(actions/checkout): update to v5" — SHA-pinned, weekly, batched.
Why Renovate over Dependabot
Both work; we picked Renovate for what this specific config needs:
uses: actions/checkout@v4touses: actions/checkout@<sha> # v4.2.2. Pinningto a SHA is the
GitHub-recommended
supply-chain hardening; Dependabot can't pin and keep the readable version
comment.
minimumReleaseAge: 14 days— skips releases younger than two weeks, so acompromised/yanked action version never lands automatically. Dependabot has no
equivalent cooldown.
on Renovate (the
infrastructurerepo drives ansible image bumps through it),so this keeps a single tool and PR style everywhere instead of splitting
Actions onto Dependabot.
Dependabot is the right call if you want zero setup and GitHub-native — it just
can't do the SHA-pin-with-comment or the release-age delay we want here.
How to test it works
You don't need to wait for the weekly schedule:
github.com/organizations/cowprotocol/settings/installations
→ Renovate → this repo is in its scope. (This is the one real prerequisite —
a committed config is inert without the app.)
line that uses an outdated action (e.g.
actions/checkout@v3).(titled "Dependency Dashboard"), plus any "deps(...)" PRs. Seeing them =
working. The dashboard lists everything it detected and will update.
Quick local check of just the config syntax (doesn't test behavior):