Skip to content

Switch Dependabot to Renovate #2893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 11, 2025
Merged

Switch Dependabot to Renovate #2893

merged 1 commit into from
Nov 11, 2025
+14 −18

Conversation

@intgr
Copy link
Collaborator

@intgr intgr commented Nov 10, 2025
edited
Loading

I already migrated djangorestframework-stubs to Renovate and it's working fine. Though it did take me some time to get the configuration right for "automerge" of lock file maintenance.

@sobolevn mentioned in typeddjango/djangorestframework-stubs#863 (comment) that django-stubs also has "problems with uv in django-stubs. dependabot does not even create PRs there". So this might resolve those.

But for this to work, a maintainer with admin access (sobolevn) needs to enroll this repository at https://developer.mend.io/

intgr
intgr commented Nov 10, 2025
View reviewed changes
.github/renovate.json
"automerge": true,
"automergeType": "branch",
"schedule": ["* * * * 1"],
"automergeSchedule": ["* * * * 2"]
Copy link
Collaborator Author

@intgr intgr Nov 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would update all unpinned dependencies in uv.lock once per week:

  • Branch is created every Monday.
  • If the branch build succeeded, Renovate will automatically merge it without a PR on Tuesday.
  • If build failed, a PR will be opened with the changes.

Copy link
Collaborator Author

@intgr intgr Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the future, packageRules can be used to configure similar automerge behavior for a wider range of packages.

intgr
intgr commented Nov 10, 2025
View reviewed changes
.github/renovate.json
@@ -0,0 +1,13 @@
{
"dependencyDashboard": true,
Copy link
Collaborator Author

@intgr intgr Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is enabled, Renovate will maintain a GitHub issue about the status of various dependency updates, it can also be used to control its behavior via checkboxes. Example:

intgr
intgr commented Nov 10, 2025
View reviewed changes
.github/workflows/test.yml
push:
branches:
- master
- "renovate/**"
Copy link
Collaborator Author

@intgr intgr Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is needed for Renovate "automerge" to be able to verify branch changes without a PR.

Copy link
Member

@sobolevn sobolevn Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This causes to double all our CI jobs, see #2898

It starts 83 checks :(

Copy link
Collaborator Author

@intgr intgr Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, good point. There are two options:

  1. Configure GitHub Actions concurrency to terminate the branch job when PR job starts.
  2. Only whitelist renovate/lock-file-maintenance for the branch CI.

Option (2) looks simpler -- but the downside is that if we were to expand "automerge" to other package updates, then the list of branches needs updating manually.

ISTM that we actually could use automerge for most version bumps -- in those PRs we usually just check that CI is passing. So automation could save time.

Copy link
Collaborator Author

@intgr intgr Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened a PR for option (2) #2899

@UnknownPlatypus
Copy link
Contributor

UnknownPlatypus commented Nov 10, 2025

I'm +1

UnknownPlatypus
UnknownPlatypus approved these changes Nov 10, 2025
View reviewed changes
Copy link
Contributor

@UnknownPlatypus UnknownPlatypus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm +1 for renovate, lgtm

sobolevn
sobolevn reviewed Nov 11, 2025
View reviewed changes
@sobolevn sobolevn merged commit 936e72b into typeddjango:master Nov 11, 2025
43 checks passed
@intgr
Copy link
Collaborator Author

intgr commented Nov 11, 2025
edited
Loading

@sobolevn don't forget you need to grant Renovate access to the repo also. https://developer.mend.io/github/typeddjango

intgr added a commit that referenced this pull request Nov 12, 2025
@intgr
CI: Only run branch tests on Renovate branches where it's needed
8510a09 
Follow-up to #2893 (comment) -- prevent unnecessary test runs in Renovate branches.

Currently only "lock file maintenace" has automerge enabled, other Renovate branches will use PR tests not branch tests.
@intgr intgr mentioned this pull request Nov 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sobolevn sobolevn sobolevn approved these changes

@UnknownPlatypus UnknownPlatypus UnknownPlatypus approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@intgr @UnknownPlatypus @sobolevn