renovate-config/README.md
Pierre-Olivier Mercier efbd35396f Prune dead npm minor/patch automerge presets, document policy
npm minor/patch updates are disabled and handled by weekly lockFileMaintenance,
so the eslint/sass automerge presets (scoped to minor/patch only) could never
fire. Remove them; their updates still auto-merge via the lockfile PR, and their
majors now surface as reviewable PRs per policy.

Wire the missing automerge-typescript preset into automerge-common so TypeScript
majors auto-merge on green CI as intended.

Add a README documenting the update policy, auto-merge safety model, and
supply-chain hardening.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-07 16:55:09 +08:00

3.7 KiB

renovate-config

Shared Renovate presets used across my repositories.

Usage

In a repository's renovate.json:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "local>iac/renovate-config",
    "local>iac/renovate-config//automerge-common"
  ]
}
  • local>iac/renovate-config resolves to default.json.
  • Add //automerge-common to opt the repository into the trusted auto-merge list.

Update policy

The goal is to stay current without being flooded by pull requests, while never auto-merging anything risky.

Kind of update What happens
In-range minor/patch (npm) No individual PR. Pulled in weekly by lockFileMaintenance, which auto-merges on green CI.
Security vulnerabilities A PR is opened immediately, bypassing the 5-day cooldown.
Majors / out-of-range / pinned A PR is opened so it can be reviewed. Not auto-merged...
...unless the package is a trusted exception Auto-merged, but only if CI passes (see below).

Why npm minor/patch have no PRs

default.json disables individual npm/pnpm/yarn minor and patch updates. Those versions already satisfy the semver ranges in package.json, so lockFileMaintenance refreshes them in the lockfile once a week and auto-merges the result. Opening a PR per package would just be noise.

This relies on package.json using version ranges (e.g. ^1.2.3). A dependency pinned to an exact version cannot be moved by lock file maintenance and will only update through a (reviewable) major/out-of-range PR.

How auto-merge stays safe

Every consuming repository has a CI pipeline. Auto-merge uses automergeType: "branch":

  1. Renovate pushes the update to a branch.
  2. CI runs on that branch.
  3. CI passes → merged silently, no PR.
  4. CI fails → a PR is opened instead, so the failure is visible.

An update can therefore only ever auto-merge on green CI.

Supply-chain hardening

  • minimumReleaseAge: "5 days" — a freshly published release must age 5 days before it is considered, mitigating compromised-release attacks.
  • vulnerabilityAlerts.minimumReleaseAge: "0" — security fixes skip the cooldown so they land as fast as possible.
  • osvVulnerabilityAlerts + :enableVulnerabilityAlerts + merge-confidence scoring drive vulnerability detection.

Presets

Preset Purpose
default.json Base configuration extended by every repo.
automerge-common.json Wires in all the auto-merge exception presets below.
automerge-bootstrap.json Trust bootstrap, bootstrap-icons.
automerge-docker.json Trust alpine, go base images.
automerge-go.json Trust a curated set of Go modules (minor/patch); schedule AWS SDK bumps; run go mod tidy.
automerge-sveltekit.json Trust SvelteKit and related packages.
automerge-typescript.json Trust typescript.
replacement-sveltestrap.json Migrate sveltestrap@sveltestrap/sveltestrap.
replacement-eslint-plugin-svelte.json Migrate eslint-plugin-svelte3eslint-plugin-svelte.

Trusted npm exceptions (typescript, sveltekit, bootstrap) auto-merge all update types including majors — their minor/patch bumps are already handled by lock file maintenance, so in practice the preset only fires for majors. Go and Docker presets are unaffected by the npm minor/patch policy and auto-merge as configured in their files.