chore(ci): auto-merge low-risk renovate updates
After ~10 days of clean track record on Renovate (~30 PRs merged without regression beyond the TS/ESLint/webpack-cli majors that the dashboard-approval rule now catches), enable auto-merge for patch / pin / digest / lockFileMaintenance updates. CI is the gate — `check` / `scan` / `a11y` going red leaves the PR open for manual triage. Minors keep needing human review (might widen surface), majors are still dashboard-approval-gated. The dashboard triage header is updated so the "Open" row reflects the new reality (mostly minors, with red patches surfacing briefly when CI fails). docs/development.md "Reviewing Renovate PRs" gains a bullet describing the auto-merge behaviour for contributors landing on the project later. `automergeStrategy: "squash"` matches our trunk-based squash-merge convention. `automergeType: "pr"` keeps a PR + CI run as the audit trail (vs branch-direct push), and Gitea automerges the PR once green via the bot's existing `repo:write` permission.
This commit is contained in:
+2
-1
@@ -339,7 +339,8 @@ Repo → Actions → "Renovate" workflow → Run workflow. Useful when you've ju
|
|||||||
### Reviewing Renovate PRs
|
### Reviewing Renovate PRs
|
||||||
|
|
||||||
- Renovate PRs run a leaner CI pipeline than human PRs — `check`, `scan`, `a11y` only. The `perf` and `commits` gates are skipped (per [ADR-0017](decisions/0017-performance-budgets-lighthouse-ci.md) — Lighthouse signal on a dep bump is essentially zero, commitlint on bot-generated messages is tautological). The full `perf` gate still runs on `push` to `main` post-merge, so regressions are caught seconds after merge rather than before.
|
- Renovate PRs run a leaner CI pipeline than human PRs — `check`, `scan`, `a11y` only. The `perf` and `commits` gates are skipped (per [ADR-0017](decisions/0017-performance-budgets-lighthouse-ci.md) — Lighthouse signal on a dep bump is essentially zero, commitlint on bot-generated messages is tautological). The full `perf` gate still runs on `push` to `main` post-merge, so regressions are caught seconds after merge rather than before.
|
||||||
- Don't merge until the remaining gates are green.
|
- **Patch / pin / digest / lockfile-maintenance updates auto-merge** as soon as their CI is green. The bot opens the PR, CI runs, Renovate squashes it into `main` without waiting for a human. They appear briefly in the dashboard's "Open" section while CI runs, then disappear into the merged log. Failures stay open for triage. **Minor and major** updates remain manual.
|
||||||
|
- Don't merge minor PRs until the remaining gates are green.
|
||||||
- **Major bumps are gated behind the dependency dashboard.** Renovate does not auto-create PRs for major updates; instead, they appear in the "Renovate Dependency Dashboard" issue with a checkbox. Tick the box only after reading the upstream changelog and confirming the rest of our toolchain (Nx plugins, Angular CLI, NestJS, etc.) supports the new major. This guard exists because `nx affected` sees a deps-only change as not affecting any project — so a major that breaks the build can pass CI silently and only surface days later. Past offenders we caught the hard way: TypeScript 5→6 (deprecated `baseUrl`), ESLint 9→10 (Nx eslint plugin not yet compatible), webpack-cli 5→7 (removed `--node-env` flag).
|
- **Major bumps are gated behind the dependency dashboard.** Renovate does not auto-create PRs for major updates; instead, they appear in the "Renovate Dependency Dashboard" issue with a checkbox. Tick the box only after reading the upstream changelog and confirming the rest of our toolchain (Nx plugins, Angular CLI, NestJS, etc.) supports the new major. This guard exists because `nx affected` sees a deps-only change as not affecting any project — so a major that breaks the build can pass CI silently and only surface days later. Past offenders we caught the hard way: TypeScript 5→6 (deprecated `baseUrl`), ESLint 9→10 (Nx eslint plugin not yet compatible), webpack-cli 5→7 (removed `--node-env` flag).
|
||||||
- The "Renovate Dependency Dashboard" issue (auto-created on first run) lists every pending update grouped by status. Use it to triage which PRs to expedite.
|
- The "Renovate Dependency Dashboard" issue (auto-created on first run) lists every pending update grouped by status. Use it to triage which PRs to expedite.
|
||||||
- For a major bump that introduces breaking changes, **don't reflexively merge**: read the changelog, then either accept the work or close the PR with a "rejected" label. Renovate respects that label and won't keep re-opening the same major.
|
- For a major bump that introduces breaking changes, **don't reflexively merge**: read the changelog, then either accept the work or close the PR with a "rejected" label. Renovate respects that label and won't keep re-opening the same major.
|
||||||
|
|||||||
+8
-1
@@ -4,7 +4,7 @@
|
|||||||
"gitAuthor": "APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>",
|
"gitAuthor": "APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>",
|
||||||
"dependencyDashboard": true,
|
"dependencyDashboard": true,
|
||||||
"dependencyDashboardTitle": "Renovate Dependency Dashboard",
|
"dependencyDashboardTitle": "Renovate Dependency Dashboard",
|
||||||
"dependencyDashboardHeader": "## Triage guide\n\nRenovate organises this dashboard in sections that map directly to a triage action. Use the sections below as a checklist:\n\n| Section | What it contains | What to do |\n| - | - | - |\n| **Open** | Patch + minor PRs already created. CI is running or done. | Review & merge once green. Batch-merge friendly. |\n| **Awaiting Schedule** | Items waiting for their schedule window (e.g. weekly `lockFileMaintenance`). | Nothing — they will appear automatically when their window opens. |\n| **Pending Approval** | **Major** bumps. Renovate will not create a PR until you tick the box. | One at a time: read the upstream changelog, verify our toolchain (Nx plugins / Angular / NestJS / ESLint plugins) supports it, then tick. Past offenders we caught the hard way: TS 5→6, ESLint 9→10, webpack-cli 5→7. |\n| **Detected dependencies** | The full list Renovate sees. Reference only. | None. |\n| **Errored / Edited / Other** | Out-of-band situations. | Investigate case by case. |\n\n**Pinned constraints**\n\n- **Prisma group** (`prisma`, `@prisma/*`, `nestjs-prisma`) — major bumps are explicitly disabled until the Prisma 7 upgrade ADR lands. See [ADR-0006 §\"Prisma version pin: 6.x in v1\"](../docs/decisions/0006-persistence-postgresql-prisma.md).\n- **Trivy / gitleaks binary versions** in `.gitea/workflows/*.yml` are not Renovate-tracked yet (no package-manager-tracked dep). Bump manually from their GitHub releases — see comments in the workflow.\n\n**Reference**: [docs/development.md §\"Reviewing Renovate PRs\"](../docs/development.md) — full procedure including the lighter CI on bot PRs (`perf` and `commits` skipped per ADR-0017 amendment).\n",
|
"dependencyDashboardHeader": "## Triage guide\n\nRenovate organises this dashboard in sections that map directly to a triage action. Use the sections below as a checklist:\n\n| Section | What it contains | What to do |\n| - | - | - |\n| **Open** | **Minor** PRs (and any patch / lockfile-maintenance PRs whose CI is currently red). Patch / pin / digest / lockfile bumps with green CI auto-merge — they appear here only briefly while CI runs. | Review & merge minors once green; investigate red patches as they show up. |\n| **Awaiting Schedule** | Items waiting for their schedule window (e.g. weekly `lockFileMaintenance`). | Nothing — they will appear automatically when their window opens. |\n| **Pending Approval** | **Major** bumps. Renovate will not create a PR until you tick the box. | One at a time: read the upstream changelog, verify our toolchain (Nx plugins / Angular / NestJS / ESLint plugins) supports it, then tick. Past offenders we caught the hard way: TS 5→6, ESLint 9→10, webpack-cli 5→7. |\n| **Detected dependencies** | The full list Renovate sees. Reference only. | None. |\n| **Errored / Edited / Other** | Out-of-band situations. | Investigate case by case. |\n\n**Pinned constraints**\n\n- **Prisma group** (`prisma`, `@prisma/*`, `nestjs-prisma`) — major bumps are explicitly disabled until the Prisma 7 upgrade ADR lands. See [ADR-0006 §\"Prisma version pin: 6.x in v1\"](../docs/decisions/0006-persistence-postgresql-prisma.md).\n- **Trivy / gitleaks binary versions** in `.gitea/workflows/*.yml` are not Renovate-tracked yet (no package-manager-tracked dep). Bump manually from their GitHub releases — see comments in the workflow.\n\n**Reference**: [docs/development.md §\"Reviewing Renovate PRs\"](../docs/development.md) — full procedure including the lighter CI on bot PRs (`perf` and `commits` skipped per ADR-0017 amendment).\n",
|
||||||
"labels": ["dependencies"],
|
"labels": ["dependencies"],
|
||||||
"prHourlyLimit": 4,
|
"prHourlyLimit": 4,
|
||||||
"prConcurrentLimit": 10,
|
"prConcurrentLimit": 10,
|
||||||
@@ -22,6 +22,13 @@
|
|||||||
"dependencyDashboardApproval": true,
|
"dependencyDashboardApproval": true,
|
||||||
"description": "Major bumps require explicit approval via the dependency dashboard (tick the entry to release the PR). Auto-creating major PRs has caused silent build regressions: TypeScript 5→6, ESLint 9→10, and webpack-cli 5→7 all passed CI through `nx affected` (which sees a deps-only change as not affecting any project) and only surfaced when run-many was attempted locally. Forcing a human in the loop on majors prevents the same trap. Patch and minor bumps still flow automatically."
|
"description": "Major bumps require explicit approval via the dependency dashboard (tick the entry to release the PR). Auto-creating major PRs has caused silent build regressions: TypeScript 5→6, ESLint 9→10, and webpack-cli 5→7 all passed CI through `nx affected` (which sees a deps-only change as not affecting any project) and only surfaced when run-many was attempted locally. Forcing a human in the loop on majors prevents the same trap. Patch and minor bumps still flow automatically."
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"matchUpdateTypes": ["patch", "pin", "digest", "lockFileMaintenance"],
|
||||||
|
"automerge": true,
|
||||||
|
"automergeType": "pr",
|
||||||
|
"automergeStrategy": "squash",
|
||||||
|
"description": "Auto-merge low-risk updates: patch bumps, pinned-range refreshes, image digest pins, and the weekly lockfile maintenance refresh. CI is the gate — if `check` / `scan` / `a11y` go red, the PR stays open for manual triage. Minor bumps still need a human review (might widen surface) and majors are dashboard-gated above."
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"groupName": "Angular",
|
"groupName": "Angular",
|
||||||
"matchPackageNames": [
|
"matchPackageNames": [
|
||||||
|
|||||||
Reference in New Issue
Block a user