From 857e8de11c12b2ae9fab4842283f8873ef03a924 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Fri, 8 May 2026 17:06:36 +0200 Subject: [PATCH] chore(ci): add triage guide to Renovate dependency dashboard MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The dashboard issue Renovate maintains lists pending updates in a handful of sections (Open / Awaiting Schedule / Pending Approval / Detected dependencies / …) but the section headings alone are not self-explanatory — easy to lose the patch+minor vs major distinction we put in place via `dependencyDashboardApproval` for majors. Add a `dependencyDashboardHeader` markdown block that maps each section to the triage action it expects from the maintainer: which to batch-merge, which to leave alone, which to read the changelog before approving. Re-state the pinned constraints (Prisma majors blocked until the Prisma 7 ADR per ADR-0006; the Trivy / gitleaks pins in workflow YAML which Renovate doesn't see). Cross-link to docs/development.md for the full procedure. Re-renders on the next Renovate run (no code change required — the header is part of the dashboard issue body). --- renovate.json | 1 + 1 file changed, 1 insertion(+) diff --git a/renovate.json b/renovate.json index e045640..0d82293 100644 --- a/renovate.json +++ b/renovate.json @@ -4,6 +4,7 @@ "gitAuthor": "APF Portal Bot ", "dependencyDashboard": true, "dependencyDashboardTitle": "Renovate Dependency Dashboard", + "dependencyDashboardHeader": "## Triage guide\n\nRenovate organises this dashboard in sections that map directly to a triage action. Use the sections below as a checklist:\n\n| Section | What it contains | What to do |\n| - | - | - |\n| **Open** | Patch + minor PRs already created. CI is running or done. | Review & merge once green. Batch-merge friendly. |\n| **Awaiting Schedule** | Items waiting for their schedule window (e.g. weekly `lockFileMaintenance`). | Nothing — they will appear automatically when their window opens. |\n| **Pending Approval** | **Major** bumps. Renovate will not create a PR until you tick the box. | One at a time: read the upstream changelog, verify our toolchain (Nx plugins / Angular / NestJS / ESLint plugins) supports it, then tick. Past offenders we caught the hard way: TS 5→6, ESLint 9→10, webpack-cli 5→7. |\n| **Detected dependencies** | The full list Renovate sees. Reference only. | None. |\n| **Errored / Edited / Other** | Out-of-band situations. | Investigate case by case. |\n\n**Pinned constraints**\n\n- **Prisma group** (`prisma`, `@prisma/*`, `nestjs-prisma`) — major bumps are explicitly disabled until the Prisma 7 upgrade ADR lands. See [ADR-0006 §\"Prisma version pin: 6.x in v1\"](../docs/decisions/0006-persistence-postgresql-prisma.md).\n- **Trivy / gitleaks binary versions** in `.gitea/workflows/*.yml` are not Renovate-tracked yet (no package-manager-tracked dep). Bump manually from their GitHub releases — see comments in the workflow.\n\n**Reference**: [docs/development.md §\"Reviewing Renovate PRs\"](../docs/development.md) — full procedure including the lighter CI on bot PRs (`perf` and `commits` skipped per ADR-0017 amendment).\n", "labels": ["dependencies"], "prHourlyLimit": 4, "prConcurrentLimit": 10,