Skip to content

chore(deps): adopt hybrid Renovate and Dependabot ownership#453

Merged
ss-o merged 8 commits into
mainfrom
feature-452
Jun 21, 2026
Merged

chore(deps): adopt hybrid Renovate and Dependabot ownership#453
ss-o merged 8 commits into
mainfrom
feature-452

Conversation

@ss-o

@ss-o ss-o commented Jun 21, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

  • restore a conservative organization-wide Renovate preset for routine dependency version updates
  • retain GitHub Dependabot for dependency alerts and security update pull requests, with an explicit no-overlap policy
  • accept ADR 0012, add an operational runbook, and correct stale README references including the missing metrics/ and renovate-config.json entries
  • migrate z-shell/.github itself atomically from routine Dependabot updates to the shared Renovate preset

Why

Repository-local Dependabot version-update files had drifted across schedules, grouping, ecosystems, and target branches. Renovate provides a shared organization preset and broader tuning, while GitHub remains the native authority for vulnerability alerts and security remediation.

The two services now have separate responsibilities:

  • Renovate: routine dependency version updates
  • Dependabot: dependency graph alerts and security update PRs

They must not both create routine updates in the same repository.

Rollout

This PR migrates only z-shell/.github. The Renovate GitHub App is installed for all organization repositories and is active. The remaining repository migrations are staged behind this PR reaching main and tracked in #452, including preservation of repository-specific behavior such as zi targeting next.

Configuration safeguards

  • weekly Monday update window in UTC
  • three-day minimum release age
  • Dependency Dashboard enabled
  • no global automerge
  • five concurrent and two hourly PR limits
  • non-major updates grouped by manager
  • non-major GitHub Actions updates grouped separately; majors remain isolated

Verification

  • Renovate config validator: both renovate-config.json and renovate.json valid
  • Trunk: 8 changed policy/configuration files checked, no issues
  • Lychee: 47 links checked, 0 errors
  • git diff --check: clean
  • README local-link and stale-reference invariants: pass
  • live GitHub state: Renovate App active for all repositories
  • live GitHub state: Dependabot alerts and automated security fixes enabled for z-shell/.github

Follow-up: #452 remains open until the child-repository migration checklist is completed.

@ss-o ss-o marked this pull request as ready for review June 21, 2026 04:49
@ss-o ss-o requested a review from a team as a code owner June 21, 2026 04:49
@ss-o ss-o merged commit 8ee0416 into main Jun 21, 2026
4 checks passed
@ss-o ss-o deleted the feature-452 branch June 21, 2026 04:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ss-o