Skip to content

ci: add renovate config#5

Open
sydorovdmytro wants to merge 2 commits into
mainfrom
devops-971/add-renovate-config
Open

ci: add renovate config#5
sydorovdmytro wants to merge 2 commits into
mainfrom
devops-971/add-renovate-config

Conversation

@sydorovdmytro
Copy link
Copy Markdown

@sydorovdmytro sydorovdmytro commented Jun 4, 2026

Closes DEVOPS-971

Summary

  • Onboard Renovate for this public TypeScript/npm library, starting from the loft-sh baseline (config:recommended + :semanticCommits + digest-pinned GitHub Actions, weekly schedule, security alerts bypass schedule).
  • Tailor npm rules per loft-sh conventions: 7-day stabilization for all JS deps, group non-major npm updates, majors individually for human review.
  • Add the validate-renovate CI caller workflow so future config edits are validated on every PR.

Coverage

Surface Manager
package.json (4 deps + 2 devDeps, exact-pinned) built-in npm
.github/workflows/validate-renovate.yaml reusable-workflow ref built-in github-actions (digest-pinned via helpers:pinGitHubActionDigests)

No lockfile exists: the library is consumed as a git dependency (npm install https://github.com/loft-sh/loft-javascript-client), so npm manages package.json ranges directly.

Deliberately not managed

  • gen/ generated TypeScript models — generated from loft-sh API definitions. These are source files that import nothing versioned and pin no dependency versions, so there is nothing for Renovate to update; no manager and no ignorePaths change needed (config:recommended already scopes managers via :ignoreModulesAndTests).
  • lib/ build output — gitignored build artifacts; not a dependency surface.
  • No custom regex managers were needed: there are no out-of-band version pins (no Dockerfiles, no .nvmrc/.tool-versions/engines, no npx @x.y.z pins, no curl/release-download installs).

Test plan

  • renovate-config-validator renovate.json -> passed ("Config validated successfully").
  • No custom regex managers, so no matchString verification required.
  • LOG_LEVEL=debug renovate --platform=local --dry-run=extract -> extracted 2 package files, manager stats npm: {fileCount: 1, depCount: 6} and github-actions: {fileCount: 1, depCount: 1}, covering every ecosystem in the inventory.
  • actionlint on the workflow -> 0 findings; zizmor -> 0 findings.

Post-merge checklist

  • Dependency Dashboard issue appears and the first run resolves both managers (npm, github-actions).
  • The existing GitHub security alert on the default branch gets a security-labeled Renovate PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sydorovdmytro