Files
apf_portal/renovate.json
T
Julien Gautier a800b9d28d
CI / commits (pull_request) Successful in 1m13s
CI / scan (pull_request) Successful in 1m21s
CI / check (pull_request) Successful in 1m22s
CI / a11y (pull_request) Successful in 1m28s
CI / perf (pull_request) Successful in 2m55s
chore(ci): auto-merge low-risk renovate updates
After ~10 days of clean track record on Renovate (~30 PRs merged
without regression beyond the TS/ESLint/webpack-cli majors that
the dashboard-approval rule now catches), enable auto-merge for
patch / pin / digest / lockFileMaintenance updates. CI is the
gate — `check` / `scan` / `a11y` going red leaves the PR open for
manual triage. Minors keep needing human review (might widen
surface), majors are still dashboard-approval-gated.

The dashboard triage header is updated so the "Open" row reflects
the new reality (mostly minors, with red patches surfacing
briefly when CI fails). docs/development.md "Reviewing Renovate
PRs" gains a bullet describing the auto-merge behaviour for
contributors landing on the project later.

`automergeStrategy: "squash"` matches our trunk-based squash-merge
convention. `automergeType: "pr"` keeps a PR + CI run as the
audit trail (vs branch-direct push), and Gitea automerges the PR
once green via the bot's existing `repo:write` permission.
2026-05-10 03:55:57 +02:00

89 lines
5.1 KiB
JSON

{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"gitAuthor": "APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>",
"dependencyDashboard": true,
"dependencyDashboardTitle": "Renovate Dependency Dashboard",
"dependencyDashboardHeader": "## Triage guide\n\nRenovate organises this dashboard in sections that map directly to a triage action. Use the sections below as a checklist:\n\n| Section | What it contains | What to do |\n| - | - | - |\n| **Open** | **Minor** PRs (and any patch / lockfile-maintenance PRs whose CI is currently red). Patch / pin / digest / lockfile bumps with green CI auto-merge — they appear here only briefly while CI runs. | Review & merge minors once green; investigate red patches as they show up. |\n| **Awaiting Schedule** | Items waiting for their schedule window (e.g. weekly `lockFileMaintenance`). | Nothing — they will appear automatically when their window opens. |\n| **Pending Approval** | **Major** bumps. Renovate will not create a PR until you tick the box. | One at a time: read the upstream changelog, verify our toolchain (Nx plugins / Angular / NestJS / ESLint plugins) supports it, then tick. Past offenders we caught the hard way: TS 5→6, ESLint 9→10, webpack-cli 5→7. |\n| **Detected dependencies** | The full list Renovate sees. Reference only. | None. |\n| **Errored / Edited / Other** | Out-of-band situations. | Investigate case by case. |\n\n**Pinned constraints**\n\n- **Prisma group** (`prisma`, `@prisma/*`, `nestjs-prisma`) — major bumps are explicitly disabled until the Prisma 7 upgrade ADR lands. See [ADR-0006 §\"Prisma version pin: 6.x in v1\"](../docs/decisions/0006-persistence-postgresql-prisma.md).\n- **Trivy / gitleaks binary versions** in `.gitea/workflows/*.yml` are not Renovate-tracked yet (no package-manager-tracked dep). Bump manually from their GitHub releases — see comments in the workflow.\n\n**Reference**: [docs/development.md §\"Reviewing Renovate PRs\"](../docs/development.md) — full procedure including the lighter CI on bot PRs (`perf` and `commits` skipped per ADR-0017 amendment).\n",
"labels": ["dependencies"],
"prHourlyLimit": 4,
"prConcurrentLimit": 10,
"lockFileMaintenance": {
"enabled": true
},
"osvVulnerabilityAlerts": true,
"vulnerabilityAlerts": {
"enabled": true,
"labels": ["security", "dependencies"]
},
"packageRules": [
{
"matchUpdateTypes": ["major"],
"dependencyDashboardApproval": true,
"description": "Major bumps require explicit approval via the dependency dashboard (tick the entry to release the PR). Auto-creating major PRs has caused silent build regressions: TypeScript 5→6, ESLint 9→10, and webpack-cli 5→7 all passed CI through `nx affected` (which sees a deps-only change as not affecting any project) and only surfaced when run-many was attempted locally. Forcing a human in the loop on majors prevents the same trap. Patch and minor bumps still flow automatically."
},
{
"matchUpdateTypes": ["patch", "pin", "digest", "lockFileMaintenance"],
"automerge": true,
"automergeType": "pr",
"automergeStrategy": "squash",
"description": "Auto-merge low-risk updates: patch bumps, pinned-range refreshes, image digest pins, and the weekly lockfile maintenance refresh. CI is the gate — if `check` / `scan` / `a11y` go red, the PR stays open for manual triage. Minor bumps still need a human review (might widen surface) and majors are dashboard-gated above."
},
{
"groupName": "Angular",
"matchPackageNames": [
"@angular/*",
"@angular-devkit/*",
"@angular-eslint/*",
"@schematics/angular",
"angular-eslint"
]
},
{
"groupName": "Nx",
"matchPackageNames": ["@nx/*", "nx"]
},
{
"groupName": "NestJS",
"matchPackageNames": ["@nestjs/*"]
},
{
"groupName": "Prisma",
"matchPackageNames": ["prisma", "@prisma/*", "nestjs-prisma"]
},
{
"matchPackageNames": ["prisma", "@prisma/*", "nestjs-prisma"],
"matchUpdateTypes": ["major"],
"enabled": false,
"description": "Prisma 7 requires a coordinated upgrade with nestjs-prisma compatibility (Prisma 7 was downgraded to 6 in PR #3 because nestjs-prisma 0.27.0 is incompatible with Prisma 7). Re-enable once a Prisma 7 ADR lands and the wrapper situation is settled — see ADR-0006 §'Prisma version pin: 6.x in v1'."
},
{
"groupName": "Vitest",
"matchPackageNames": ["vitest", "@vitest/*", "/^vitest-/"]
},
{
"groupName": "TypeScript tooling",
"matchPackageNames": [
"typescript",
"typescript-eslint",
"@typescript-eslint/*",
"ts-node",
"ts-jest",
"tslib"
]
},
{
"groupName": "ESLint",
"matchPackageNames": ["eslint", "eslint-*", "@eslint/*"]
},
{
"groupName": "SWC",
"matchPackageNames": ["@swc/*", "@swc-node/*"]
},
{
"groupName": "Tailwind CSS",
"matchPackageNames": ["tailwindcss", "@tailwindcss/*", "postcss"]
}
]
}