Feature: Dependabot and Renovate configuration management #6
Description
Summary
Auto-generate and manage dependency update configuration files (Dependabot and/or Renovate) based on YAML configuration.
Problem
Dependency update configuration must be manually created in each repository. This leads to:
- Inconsistent update schedules across repositories
- Missing configs in new repositories
- No centralized policy for dependency updates
- Difficult to switch between Dependabot and Renovate
Proposed Solution
Add dependency update configuration supporting both Dependabot and Renovate:
Dependabot Configuration
# In repositories.yml
repositories:
my-repo:
dependabot:
version: 2
updates:
- package_ecosystem: npm
directory: "/"
schedule:
interval: weekly
day: monday
open_pull_requests_limit: 10
reviewers:
- security-team
labels:
- dependencies
- automated
commit_message:
prefix: "chore(deps)"
groups:
production:
patterns:
- "*"
exclude_patterns:
- "@types/*"
development:
dependency_type: development
- package_ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
- package_ecosystem: docker
directory: "/"
schedule:
interval: monthlyRenovate Configuration
# In repositories.yml
repositories:
my-repo:
renovate:
extends:
- "config:recommended"
- "group:allNonMajor"
schedule:
- "before 6am on monday"
labels:
- dependencies
- automated
automerge: true
automergeType: pr
platformAutomerge: true
packageRules:
- matchPackagePatterns: ["*"]
groupName: "all dependencies"
groupSlug: "all"
- matchDepTypes: ["devDependencies"]
automerge: true
- matchPackageNames: ["typescript"]
groupName: "typescript"
automerge: false
# Vulnerability alerts
vulnerabilityAlerts:
enabled: true
labels: ["security"]Using Both (different repos)
# In groups.yml
groups:
use-dependabot:
dependabot:
updates:
- package_ecosystem: npm
directory: "/"
schedule:
interval: weekly
use-renovate:
renovate:
extends: ["config:recommended"]
automerge: true
# In repositories.yml
repositories:
legacy-app:
groups: [use-dependabot]
new-app:
groups: [use-renovate]Implementation
| Tool | Generated File | Terraform Resource |
|---|---|---|
| Dependabot | .github/dependabot.yml |
github_repository_file |
| Renovate | renovate.json or .github/renovate.json |
github_repository_file |
Tasks
- Design Dependabot config schema (mirror official schema)
- Design Renovate config schema (mirror official schema)
- Implement Dependabot file generation
- Implement Renovate file generation
- Handle config merging from groups
- Add common preset templates for both tools
- Add validation for generated configs
- Update documentation
- Add examples for different project types
- Add migration guide (Dependabot <-> Renovate)
Considerations
- Should handle existing config files (skip, overwrite, merge)
- Renovate has many more options - support common ones, allow raw JSON passthrough
- Consider Dependabot security updates config
- Renovate presets can be referenced by name (e.g.,
config:recommended) - Some orgs use both (Dependabot for security, Renovate for updates)