Prune dead npm minor/patch automerge presets, document policy

npm minor/patch updates are disabled and handled by weekly lockFileMaintenance,
so the eslint/sass automerge presets (scoped to minor/patch only) could never
fire. Remove them; their updates still auto-merge via the lockfile PR, and their
majors now surface as reviewable PRs per policy.

Wire the missing automerge-typescript preset into automerge-common so TypeScript
majors auto-merge on green CI as intended.

Add a README documenting the update policy, auto-merge safety model, and
supply-chain hardening.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
nemunaire 2026-07-07 16:55:09 +08:00
commit efbd35396f
4 changed files with 86 additions and 39 deletions

84
README.md Normal file
View file

@ -0,0 +1,84 @@
# renovate-config
Shared [Renovate](https://docs.renovatebot.com/) presets used across my repositories.
## Usage
In a repository's `renovate.json`:
```json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"local>iac/renovate-config",
"local>iac/renovate-config//automerge-common"
]
}
```
- `local>iac/renovate-config` resolves to [`default.json`](default.json).
- Add `//automerge-common` to opt the repository into the trusted auto-merge list.
## Update policy
The goal is to stay current without being flooded by pull requests, while never
auto-merging anything risky.
| Kind of update | What happens |
| --- | --- |
| **In-range minor/patch** (npm) | No individual PR. Pulled in weekly by `lockFileMaintenance`, which auto-merges on green CI. |
| **Security vulnerabilities** | A PR is opened immediately, bypassing the 5-day cooldown. |
| **Majors / out-of-range / pinned** | A PR is opened so it can be reviewed. **Not** auto-merged... |
| **...unless the package is a trusted exception** | Auto-merged, but only if CI passes (see below). |
### Why npm minor/patch have no PRs
`default.json` disables individual npm/pnpm/yarn minor and patch updates. Those
versions already satisfy the semver ranges in `package.json`, so
`lockFileMaintenance` refreshes them in the lockfile once a week and auto-merges
the result. Opening a PR per package would just be noise.
> This relies on `package.json` using version *ranges* (e.g. `^1.2.3`). A
> dependency pinned to an exact version cannot be moved by lock file
> maintenance and will only update through a (reviewable) major/out-of-range PR.
### How auto-merge stays safe
Every consuming repository has a CI pipeline. Auto-merge uses
`automergeType: "branch"`:
1. Renovate pushes the update to a branch.
2. CI runs on that branch.
3. **CI passes** → merged silently, no PR.
4. **CI fails** → a PR is opened instead, so the failure is visible.
An update can therefore only ever auto-merge on green CI.
### Supply-chain hardening
- `minimumReleaseAge: "5 days"` — a freshly published release must age 5 days
before it is considered, mitigating compromised-release attacks.
- `vulnerabilityAlerts.minimumReleaseAge: "0"` — security fixes skip the
cooldown so they land as fast as possible.
- `osvVulnerabilityAlerts` + `:enableVulnerabilityAlerts` + merge-confidence
scoring drive vulnerability detection.
## Presets
| Preset | Purpose |
| --- | --- |
| [`default.json`](default.json) | Base configuration extended by every repo. |
| [`automerge-common.json`](automerge-common.json) | Wires in all the auto-merge exception presets below. |
| [`automerge-bootstrap.json`](automerge-bootstrap.json) | Trust `bootstrap`, `bootstrap-icons`. |
| [`automerge-docker.json`](automerge-docker.json) | Trust `alpine`, `go` base images. |
| [`automerge-go.json`](automerge-go.json) | Trust a curated set of Go modules (minor/patch); schedule AWS SDK bumps; run `go mod tidy`. |
| [`automerge-sveltekit.json`](automerge-sveltekit.json) | Trust SvelteKit and related packages. |
| [`automerge-typescript.json`](automerge-typescript.json) | Trust `typescript`. |
| [`replacement-sveltestrap.json`](replacement-sveltestrap.json) | Migrate `sveltestrap``@sveltestrap/sveltestrap`. |
| [`replacement-eslint-plugin-svelte.json`](replacement-eslint-plugin-svelte.json) | Migrate `eslint-plugin-svelte3``eslint-plugin-svelte`. |
Trusted npm exceptions (typescript, sveltekit, bootstrap) auto-merge **all**
update types including majors — their minor/patch bumps are already handled by
lock file maintenance, so in practice the preset only fires for majors. Go and
Docker presets are unaffected by the npm minor/patch policy and auto-merge as
configured in their files.