diff --git a/renovate.json5 b/renovate.json5 new file mode 100644 index 00000000..476de639 --- /dev/null +++ b/renovate.json5 @@ -0,0 +1,99 @@ +// Brane's renovate config +// +// Some settings are set to their default value, this is not by accident. +// Sometimes we are deliberate in our choice even if its default. Please annotate these choices with a comment. +// Renovate was chosen over dependabot as dependabot does not handle minimal versions appropriately. +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + // I actively choose recommended over best practices. + // I'm unsure if digest pinning for docker and github actions is worthwhile for Brane at this moment + "config:recommended", + ":semanticCommitTypeAll(chore)", + + // I would recommend earlyMondays during active development, and monthly in passive phases + "schedule:earlyMondays", + + // Create PRs for Renovate config updates + ":configMigration", + ], + + "timezone": "Europe/Amsterdam", + "labels": ["C-Dependencies"], + + // I think automerge can be tricky with supply chain security. + // It also has a tendency to break MSRV I think. + "automerge": false, + + // Make sure we do not get too crowded with PRs, if there are five open we should probably be focussing on those first. + // Only reason I can think of to remove or increase this limit is because I want the regular monthly update set + "prConcurrentLimit": 5, + "prHourlyLimit": 5, + + // Vulnerability alerts are obviously important + "vulnerabilityAlerts": { + "addLabels": ["P-Critical", "C-Security"], + }, + + // This is also a possibility quite similar to the current minor & patch rules. + // The upside of the other solution is that it allows for more finegrained control in the future. + // It also can provide more semantic information of what it actually upgraded instead of some big lockfile diff + // Note: This might be needed in the future if the package rules for patch & minor differ from + "lockFileMaintenance": { "enabled": false }, + + "packageRules": [ + // Add things to this section if you want them to apply to rust updates only + // TODO: Add all Rust related configuration options + { + "matchManagers": ["cargo"], + // Set this to false if Brane is in active development and relatively up to date. + // If there is little time for major updates, enable this setting. + // With this setting enabled, updates are still listed in the dashboard, but only + // PRs are created when you're ready. Updating major dependencies in Brane can be + // a lot of work. + // Note: This setting is overridden for patch and minor versions + "dependencyDashboardApproval": true, + }, + + // Note: These updates are to the lockfile only as manifest dependencies + // specify the minimal version, wrile the lockfile specifies the actual version. + // Note: We group patch and minor together here + { + "matchUpdateTypes": ["minor"], + "matchManagers": ["cargo"], + "matchCurrentValue": "!/^v?0\\./", + "groupName": "all non-major dependencies (exclude 0.x.y)", + "groupSlug": "cargo-minor-patch-semver", + "prPriority": 9, + "dependencyDashboardApproval": false, + }, + { + "matchUpdateTypes": ["patch"], + "matchManagers": ["cargo"], + "matchCurrentValue": "!/^v?0\\.0\\./", + "groupName": "all non-major dependencies (exclude 0.x.y)", + "groupSlug": "cargo-minor-patch-semver", + "prPriority": 9, + "dependencyDashboardApproval": false, + }, + + // We can group github actions updates together, they almost always apply with very little intervention. + // Combining them reduces the noise a lot + { + "matchManagers": ["github-actions"], + "addLabels": ["A-CI", "A-CD"], + "groupName": "GitHub actions", + "groupSlug": "gh-actions", + }, + + // TODO: Enable this + { + "matchManagers": ["docker", "docker-compose"], + "enabled": false, + } + ], + + // Do not take immediately update. + // The chances of a package being yanked in the first couple of days are not negligible. + "minimumReleaseAge": "3", +}