chore(ci): set up Renovate dependency automation #11
Reference in New Issue
Block a user
Delete Branch "chore/ci/renovate-setup"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Wire up Renovate to keep dependencies fresh without manual triage.
.gitea/workflows/renovate.yml: cron daily at 03:00 UTC +workflow_dispatch, runs on the existing self-hosted runners. Picked 03:00 specifically so Monday's tick sits inside Renovate's defaultlockFileMaintenance.schedule("before 4am Monday") and triggers the weekly lockfile refresh in passing.renovate.json:config:recommendedbaseline + groupings (Angular, Nx, NestJS, Prisma, Vitest, TypeScript tooling, ESLint, SWC, Tailwind), Conventional-Commits commit messages, OSV.dev as vulnerability source, dependency dashboard issue.docs/development.mdcovering the bot onboarding (manual, one-shot), how to trigger Renovate manually, how to review its PRs. The placeholder roadmap entry is dropped from §8.No ADR — Renovate is operational tooling, not an architectural decision (and on Gitea it's the only viable bot anyway, no real alternative to capture).
Manual setup required after merge
The workflow is wired but inert until the bot is onboarded once on Gitea:
apf-portal-bot.repository, read/writeissue, readuser).RENOVATE_TOKEN(Settings → Actions → Secrets).Detailed steps in
docs/development.md→ "Dependency updates (Renovate)".Test plan
check,scan,commits,perf,a11y).chore(deps): …/fix(deps): …so thecommitsgate doesn't reject.Renovate runs as a daily Gitea Actions cron (03:00 UTC, on self-hosted runners) and opens PRs against main for dependency updates. Picked daily-at-3am specifically so Monday's run sits inside Renovate's default `lockFileMaintenance.schedule` ("before 4am on Monday") and triggers the weekly lockfile refresh in passing. The workflow only handles invocation + Gitea-platform plumbing. Bot behaviour (groupings, labels, Conventional Commits, OSV.dev vulnerability source) lives in /renovate.json so it can evolve without redeploying the workflow. Groups defined: Angular, Nx, NestJS, Prisma (incl. nestjs-prisma), Vitest, TypeScript tooling, ESLint, SWC, Tailwind. Standalone packages get individual PRs. Bot identity: a dedicated `apf-portal-bot` Gitea user authenticates with a PAT stored as the RENOVATE_TOKEN repo secret. The full onboarding procedure (user creation, scopes, secret) is documented in docs/development.md → "Dependency updates (Renovate)". The roadmap entry for Renovate is removed from §8 since the section now exists.