Files
apf_portal/renovate.json
T
julien 82911f9319
CI / commits (push) Has been skipped
CI / check (push) Successful in 1m21s
CI / scan (push) Failing after 1m27s
CI / a11y (push) Successful in 44s
CI / perf (push) Successful in 2m28s
chore(ci): set up Renovate dependency automation (#11)
## Summary
Wire up Renovate to keep dependencies fresh without manual triage.

- **Workflow** — `.gitea/workflows/renovate.yml`: cron daily at 03:00 UTC + `workflow_dispatch`, runs on the existing self-hosted runners. Picked 03:00 specifically so Monday's tick sits inside Renovate's default `lockFileMaintenance.schedule` ("before 4am Monday") and triggers the weekly lockfile refresh in passing.
- **Config** — `renovate.json`: `config:recommended` baseline + groupings (Angular, Nx, NestJS, Prisma, Vitest, TypeScript tooling, ESLint, SWC, Tailwind), Conventional-Commits commit messages, OSV.dev as vulnerability source, dependency dashboard issue.
- **Docs** — new §5 in `docs/development.md` covering the bot onboarding (manual, one-shot), how to trigger Renovate manually, how to review its PRs. The placeholder roadmap entry is dropped from §8.

No ADR — Renovate is operational tooling, not an architectural decision (and on Gitea it's the only viable bot anyway, no real alternative to capture).

## Manual setup required after merge

The workflow is wired but inert until the bot is onboarded once on Gitea:

1. Create a non-admin Gitea user `apf-portal-bot`.
2. Add the bot as a **Write** collaborator on this repo.
3. Sign in as the bot, generate a PAT (scopes: read/write `repository`, read/write `issue`, read `user`).
4. Add the PAT as the repo secret `RENOVATE_TOKEN` (Settings → Actions → Secrets).

Detailed steps in [`docs/development.md`](docs/development.md) → "Dependency updates (Renovate)".

## Test plan
- [ ] After bot onboarding, trigger the workflow manually (Repo → Actions → Renovate → Run workflow).
- [ ] First run creates the "Renovate Dependency Dashboard" issue and a batch of grouped PRs (Angular, Nx, …).
- [ ] Each generated PR has CI green (`check`, `scan`, `commits`, `perf`, `a11y`).
- [ ] Commit subject matches `chore(deps): …` / `fix(deps): …` so the `commits` gate doesn't reject.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #11
2026-05-04 17:37:13 +02:00

69 lines
1.6 KiB
JSON

{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"dependencyDashboard": true,
"dependencyDashboardTitle": "Renovate Dependency Dashboard",
"labels": ["dependencies"],
"prHourlyLimit": 4,
"prConcurrentLimit": 10,
"lockFileMaintenance": {
"enabled": true
},
"osvVulnerabilityAlerts": true,
"vulnerabilityAlerts": {
"enabled": true,
"labels": ["security", "dependencies"]
},
"packageRules": [
{
"groupName": "Angular",
"matchPackageNames": [
"@angular/*",
"@angular-devkit/*",
"@angular-eslint/*",
"@schematics/angular",
"angular-eslint"
]
},
{
"groupName": "Nx",
"matchPackageNames": ["@nx/*", "nx"]
},
{
"groupName": "NestJS",
"matchPackageNames": ["@nestjs/*"]
},
{
"groupName": "Prisma",
"matchPackageNames": ["prisma", "@prisma/*", "nestjs-prisma"]
},
{
"groupName": "Vitest",
"matchPackageNames": ["vitest", "@vitest/*", "/^vitest-/"]
},
{
"groupName": "TypeScript tooling",
"matchPackageNames": [
"typescript",
"typescript-eslint",
"@typescript-eslint/*",
"ts-node",
"ts-jest",
"tslib"
]
},
{
"groupName": "ESLint",
"matchPackageNames": ["eslint", "eslint-*", "@eslint/*"]
},
{
"groupName": "SWC",
"matchPackageNames": ["@swc/*", "@swc-node/*"]
},
{
"groupName": "Tailwind CSS",
"matchPackageNames": ["tailwindcss", "@tailwindcss/*", "postcss"]
}
]
}