chore(ci): set up Renovate dependency automation #11

Merged
julien merged 1 commits from chore/ci/renovate-setup into main 2026-05-04 17:37:14 +02:00
Owner

Summary

Wire up Renovate to keep dependencies fresh without manual triage.

  • Workflow.gitea/workflows/renovate.yml: cron daily at 03:00 UTC + workflow_dispatch, runs on the existing self-hosted runners. Picked 03:00 specifically so Monday's tick sits inside Renovate's default lockFileMaintenance.schedule ("before 4am Monday") and triggers the weekly lockfile refresh in passing.
  • Configrenovate.json: config:recommended baseline + groupings (Angular, Nx, NestJS, Prisma, Vitest, TypeScript tooling, ESLint, SWC, Tailwind), Conventional-Commits commit messages, OSV.dev as vulnerability source, dependency dashboard issue.
  • Docs — new §5 in docs/development.md covering the bot onboarding (manual, one-shot), how to trigger Renovate manually, how to review its PRs. The placeholder roadmap entry is dropped from §8.

No ADR — Renovate is operational tooling, not an architectural decision (and on Gitea it's the only viable bot anyway, no real alternative to capture).

Manual setup required after merge

The workflow is wired but inert until the bot is onboarded once on Gitea:

  1. Create a non-admin Gitea user apf-portal-bot.
  2. Add the bot as a Write collaborator on this repo.
  3. Sign in as the bot, generate a PAT (scopes: read/write repository, read/write issue, read user).
  4. Add the PAT as the repo secret RENOVATE_TOKEN (Settings → Actions → Secrets).

Detailed steps in docs/development.md → "Dependency updates (Renovate)".

Test plan

  • After bot onboarding, trigger the workflow manually (Repo → Actions → Renovate → Run workflow).
  • First run creates the "Renovate Dependency Dashboard" issue and a batch of grouped PRs (Angular, Nx, …).
  • Each generated PR has CI green (check, scan, commits, perf, a11y).
  • Commit subject matches chore(deps): … / fix(deps): … so the commits gate doesn't reject.
## Summary Wire up Renovate to keep dependencies fresh without manual triage. - **Workflow** — `.gitea/workflows/renovate.yml`: cron daily at 03:00 UTC + `workflow_dispatch`, runs on the existing self-hosted runners. Picked 03:00 specifically so Monday's tick sits inside Renovate's default `lockFileMaintenance.schedule` ("before 4am Monday") and triggers the weekly lockfile refresh in passing. - **Config** — `renovate.json`: `config:recommended` baseline + groupings (Angular, Nx, NestJS, Prisma, Vitest, TypeScript tooling, ESLint, SWC, Tailwind), Conventional-Commits commit messages, OSV.dev as vulnerability source, dependency dashboard issue. - **Docs** — new §5 in `docs/development.md` covering the bot onboarding (manual, one-shot), how to trigger Renovate manually, how to review its PRs. The placeholder roadmap entry is dropped from §8. No ADR — Renovate is operational tooling, not an architectural decision (and on Gitea it's the only viable bot anyway, no real alternative to capture). ## Manual setup required after merge The workflow is wired but inert until the bot is onboarded once on Gitea: 1. Create a non-admin Gitea user `apf-portal-bot`. 2. Add the bot as a **Write** collaborator on this repo. 3. Sign in as the bot, generate a PAT (scopes: read/write `repository`, read/write `issue`, read `user`). 4. Add the PAT as the repo secret `RENOVATE_TOKEN` (Settings → Actions → Secrets). Detailed steps in [`docs/development.md`](docs/development.md) → "Dependency updates (Renovate)". ## Test plan - [x] After bot onboarding, trigger the workflow manually (Repo → Actions → Renovate → Run workflow). - [ ] First run creates the "Renovate Dependency Dashboard" issue and a batch of grouped PRs (Angular, Nx, …). - [ ] Each generated PR has CI green (`check`, `scan`, `commits`, `perf`, `a11y`). - [ ] Commit subject matches `chore(deps): …` / `fix(deps): …` so the `commits` gate doesn't reject.
julien added 1 commit 2026-05-04 16:42:35 +02:00
chore(ci): set up Renovate dependency automation
CI / commits (pull_request) Successful in 1m36s
CI / check (pull_request) Successful in 1m40s
CI / a11y (pull_request) Successful in 40s
CI / perf (pull_request) Successful in 1m54s
CI / scan (pull_request) Failing after 3m39s
c55c549b81
Renovate runs as a daily Gitea Actions cron (03:00 UTC, on
self-hosted runners) and opens PRs against main for dependency
updates. Picked daily-at-3am specifically so Monday's run sits
inside Renovate's default `lockFileMaintenance.schedule` ("before
4am on Monday") and triggers the weekly lockfile refresh in passing.

The workflow only handles invocation + Gitea-platform plumbing.
Bot behaviour (groupings, labels, Conventional Commits, OSV.dev
vulnerability source) lives in /renovate.json so it can evolve
without redeploying the workflow.

Groups defined: Angular, Nx, NestJS, Prisma (incl. nestjs-prisma),
Vitest, TypeScript tooling, ESLint, SWC, Tailwind. Standalone
packages get individual PRs.

Bot identity: a dedicated `apf-portal-bot` Gitea user authenticates
with a PAT stored as the RENOVATE_TOKEN repo secret. The full
onboarding procedure (user creation, scopes, secret) is documented
in docs/development.md → "Dependency updates (Renovate)".

The roadmap entry for Renovate is removed from §8 since the section
now exists.
julien merged commit 82911f9319 into main 2026-05-04 17:37:14 +02:00
julien deleted branch chore/ci/renovate-setup 2026-05-04 17:37:14 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#11