Skip to content

chore: update Renovate and Dependabot config#467

Draft
olivermeyer wants to merge 1 commit intomainfrom
chore/update-renovate-dependabot
Draft

chore: update Renovate and Dependabot config#467
olivermeyer wants to merge 1 commit intomainfrom
chore/update-renovate-dependabot

Conversation

@olivermeyer
Copy link
Collaborator

@olivermeyer olivermeyer commented Mar 9, 2026

Unifying our usage of Renovate vs Dependabot with other projects:

  • Use Renovate exclusively for regular dependency updates and lock file management
    • Group all updates to GitHub Actions
    • Group all minor and patch updates to Python dependencies
  • Use Dependabot only for security alerts and updates

The dependabot.yml file was referenced in a spec; I'm removing that line.

Copilot AI review requested due to automatic review settings March 9, 2026 13:38
Copilot AI reviewed Mar 9, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR consolidates dependency update tooling by making Renovate the sole tool for regular dependency version updates and lock file maintenance, while retaining Dependabot only for security vulnerability alerts (which don't require a dependabot.yml config file). The Renovate config is enhanced with package grouping rules and lock file maintenance scheduling.

Changes:

  • Deleted .github/dependabot.yml to stop Dependabot version updates, since Renovate now handles all regular dependency updates
  • Updated renovate.json to scope managers to pep621 and github-actions, added grouped package rules for minor/patch Python deps and GitHub Actions, and enabled weekly lock file maintenance
  • Removed the dependabot.yml reference from the build chain specification's directory tree

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/dependabot.yml Fully deleted — Dependabot version updates replaced by Renovate
renovate.json Expanded config: restricted managers, added grouping rules, lock file maintenance, changed schedule to "at any time"
specifications/SPEC-BUILD-CHAIN-CICD-SERVICE.md Removed dependabot.yml line from the .github/ directory tree diagram

@olivermeyer olivermeyer force-pushed the chore/update-renovate-dependabot branch from d0dce04 to bae0b9e Compare March 9, 2026 13:53
@codecov
Copy link

codecov bot commented Mar 9, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 7 files with indirect coverage changes

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 9, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen will be requested when the pull request is marked ready for review helmut-hoffer-von-ankershoffen is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@olivermeyer