Skip to content

Pocket/renovate-config

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
default.json
default.json
 
 

Repository files navigation

Renovate Config

This repository holds a re-usable configuration for Renovate across Pocket.

Usage

Set up a renovate.json in your repo's root directory with the following contents:

{
  "extends": [
    "github>Pocket/renovate-config"
  ]
}

This will use the default.json that is defined in this repository. In the future we may have other json files representing different presets.

You also need to ensure the following:

  • renovate is allowed on your repository
  • renovate-approve is allowed on your repository
  • All dependabot and auto-merge files are removed from your repository. While, not necessary, they will conflict with each other.
  • Allow auto-merge is enabled in your GitHub repository settings. While not necessary this will allow Renovate to use Github's default auto-merging strategy.
  • If you want support for Vulnerability Alerts, ensure that the Dependency graph and Dependabot alerts options are enabled in Code security and analysis for your repo. Checks for vulnerability alerts are based off dependabot alerts, which reference the GitHub Advisory Database for packages with reported vulnerabilities. Checks for dependencies with active advisories:
    • Are performed freely at any time.
    • Do not wait for release stability.
    • Open PRs immediately, ignoring limits to the number of active PRs.
    • Do not attempt to group dependencies.
    • Are marked up differently from other PRs in order to enable driving alerts.
      • Commit messages are appended with the string [SECURITY].
      • Branch names end with *-vulnerability

Testing

Run the following to validate your renovate json

cp default.json5 renovate.json5 && npx --package renovate -c 'renovate-config-validator'

Note: We need to cp default.json5 because the renovate-validator only looks for files named renovate.

Default Preset

Because JSON doesn't support comments, this readme walks through all the options.

Extends

Config Block:

{
  "extends": [
    "config:base",
    "group:recommended",
    ":semanticCommits"
  ]
}

Ref

"config:base" - Use a set of defaults defined by Renovate

"group:recommended" - Use a default group that will group monorepos and known packages that must be upgrade together, like apollo server together

":semanticCommits" - Use a default group that will enable semantic commits for production dependencies

"workarounds:typesNodeVersioning" - Use node versioning for @types/node

"preview:dockerCompose" - Use docker-compose preview updating

Labels

"labels": ["dependencies"], - Apply the label dependencies to all prs by renovate

Pin Digests

"pinDigests": true, - Pins docker images to their digest version so that if an upstream image is updated we get the pinned one and renovate will update the pinned version

Platform Automerge

"platformAutomerge": true, - Use github's automerge functionality if it is enabled, instead of Renovates auto-merging

Suppress Notifications

"suppressNotifications": ["prIgnoreNotification","onboardingClose"], - Use this field to suppress various types of warnings and other notifications from Renovate

Support Policy

"supportPolicy": "lts", - Tells Renovate to prefer LTS releases of packages

Package Rules

https://docs.renovatebot.com/configuration-options/#packagerules

The following are a set of custom package rules that we have enabled.

Docker

For each docker update, add the label docker-update

{
  "matchDatasources": ["docker"],
  "labels": ["docker-update"]
}

NPM Stability

For all npm packages, make sure they have been around for at least 3 days. NPM packages can be pulled for up to 3 days after publishing.

    {
  "matchDatasources": ["npm"],
  "stabilityDays": 3
}

Automerge Versions

Auto merge patch, pinned, and digest updates.

Patch are patch updates to all types of packages, docker images. Pinned are updates to the repo to pin a package to it's currently installed version. Digest updates are updates to docker upstream images.

{
  "matchUpdateTypes": ["patch", "pin", "digest"],
  "dependencyDashboardApproval": false,
  "automerge": true
}

Dependency Dashboard Minor/Major

This makes it so that Minor & Major versions of any package require a developer to click a checkbox on the issues to create a PR.

This helps reduce GitHub Notification noise for developers.

https://docs.renovatebot.com/configuration-options/#dependencydashboardapproval

{
  "matchUpdateTypes": ["minor", "major"],
  "dependencyDashboardApproval": true
}

Automerge Dev

Auto merge any type of dev dependencies. These are almost always safe.

{
  "matchDepTypes": ["devDependencies"],
  "automerge": true
}

Group CDKTF

Groups all the CDKTF package updates together. This is because when CDKTF provider packages are updated they are almost always updated together and require the latest version of the CDKTF package. This also marks the commits as a fix type which will trigger a release.

{
  "matchUpdateTypes": ["minor", "major", "patch", "pin"],
  "separateMajorMinor": false,
  "semanticCommitType": "fix",
  "matchPackagePrefixes": [
    "cdktf",
    "cdktf-cli",
    "constructs",
    "@cdktf/"
  ],
  "groupName": "cdktf"
}

Node Update

Match all the node packages in our repos at the same time and use the Node versioning scheme that is defined. The package names will match in any of the package managers (docker, npm, node).

{
  "matchDatasources": ["docker","node","npm"],
  "semanticCommitType": "ci",
  "matchPackageNames": ["node", "circleci/node", "cimg/node"],
  "versioning": "node"
}

About

Renovate config for Pocket

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

14 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •