chore(ci): add triage guide to Renovate dependency dashboard (#54)
CI / commits (push) Has been skipped
CI / check (push) Successful in 59s
CI / scan (push) Successful in 1m7s
CI / a11y (push) Successful in 37s
CI / perf (push) Successful in 1m51s

## Summary
The Renovate dashboard organises pending updates in standard sections (Open / Awaiting Schedule / Pending Approval / Detected dependencies / …). The section headings alone aren't self-explanatory, so the patch+minor vs major distinction we set up via `dependencyDashboardApproval: true` for majors gets lost in the noise.

Add a `dependencyDashboardHeader` markdown block that:
- maps each section → the triage action expected (batch-merge / leave alone / read-changelog-then-tick);
- re-states the pinned constraints visible right at the top: Prisma majors blocked per ADR-0006, Trivy/gitleaks workflow pins not Renovate-tracked;
- cross-links to `docs/development.md` for the full procedure (lighter CI on bot PRs, etc.).

## Test plan
- [ ] After merge, trigger Renovate manually (Actions → Renovate → Run workflow).
- [ ] The "Renovate Dependency Dashboard" issue body now starts with the triage table; sections below are unchanged.
- [ ] Pending major bumps (e.g. anything Renovate now holds for approval) are clearly distinguishable from the patch/minor batch.

## After this PR
Triage the dashboard with the new guide; once that wave is digested, on to **A — local infra recipe**.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #54
This commit was merged in pull request #54.
This commit is contained in:
2026-05-08 17:14:33 +02:00
parent caf730bc40
commit 8f81b6202e
+1
View File
@@ -4,6 +4,7 @@
"gitAuthor": "APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>", "gitAuthor": "APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>",
"dependencyDashboard": true, "dependencyDashboard": true,
"dependencyDashboardTitle": "Renovate Dependency Dashboard", "dependencyDashboardTitle": "Renovate Dependency Dashboard",
"dependencyDashboardHeader": "## Triage guide\n\nRenovate organises this dashboard in sections that map directly to a triage action. Use the sections below as a checklist:\n\n| Section | What it contains | What to do |\n| - | - | - |\n| **Open** | Patch + minor PRs already created. CI is running or done. | Review & merge once green. Batch-merge friendly. |\n| **Awaiting Schedule** | Items waiting for their schedule window (e.g. weekly `lockFileMaintenance`). | Nothing — they will appear automatically when their window opens. |\n| **Pending Approval** | **Major** bumps. Renovate will not create a PR until you tick the box. | One at a time: read the upstream changelog, verify our toolchain (Nx plugins / Angular / NestJS / ESLint plugins) supports it, then tick. Past offenders we caught the hard way: TS 5→6, ESLint 9→10, webpack-cli 5→7. |\n| **Detected dependencies** | The full list Renovate sees. Reference only. | None. |\n| **Errored / Edited / Other** | Out-of-band situations. | Investigate case by case. |\n\n**Pinned constraints**\n\n- **Prisma group** (`prisma`, `@prisma/*`, `nestjs-prisma`) — major bumps are explicitly disabled until the Prisma 7 upgrade ADR lands. See [ADR-0006 §\"Prisma version pin: 6.x in v1\"](../docs/decisions/0006-persistence-postgresql-prisma.md).\n- **Trivy / gitleaks binary versions** in `.gitea/workflows/*.yml` are not Renovate-tracked yet (no package-manager-tracked dep). Bump manually from their GitHub releases — see comments in the workflow.\n\n**Reference**: [docs/development.md §\"Reviewing Renovate PRs\"](../docs/development.md) — full procedure including the lighter CI on bot PRs (`perf` and `commits` skipped per ADR-0017 amendment).\n",
"labels": ["dependencies"], "labels": ["dependencies"],
"prHourlyLimit": 4, "prHourlyLimit": 4,
"prConcurrentLimit": 10, "prConcurrentLimit": 10,