Skip to content

chore: update Renovate and Dependabot config #467

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
olivermeyer merged 3 commits into from
Mar 17, 2026
+18 −31
Merged

chore: update Renovate and Dependabot config #467

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bae0b9e
chore: update Renovate and Dependabot config
olivermeyer Mar 9, 2026
fbb8660
Merge branch 'main' into chore/update-renovate-dependabot
olivermeyer Mar 11, 2026
1d360e4
Merge branch 'main' into chore/update-renovate-dependabot
olivermeyer Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 0 additions & 26 deletions .github/dependabot.yml
View file
Open in desktop

This file was deleted.

20 changes: 17 additions & 3 deletions renovate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,29 @@
"config:recommended"
],
"timezone": "Europe/Berlin",
"schedule": "before 2am every weekday",
"schedule": ["at any time"],
Copy link

@claude claude bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Excellent Change: Moving from "before 2am every weekday" to ["at any time"] makes Renovate more responsive to upstream updates.

Impact: Dependency update PRs will arrive throughout the day instead of only early morning. This provides:

  • Faster security updates
  • More timely bug fixes
  • Better alignment with upstream release cycles

Note: Lock file maintenance still runs on a schedule (Monday 5am), which prevents PR spam from lock file updates.

"labels": [
"bot",
"renovate",
"dependencies",
"skip:test:long_running",
"skip:codecov"
],
"ignorePaths": [
"plugins/manifest/package.json"
"enabledManagers": ["pep621", "github-actions"],
"lockFileMaintenance": {
"enabled": true,
"schedule": ["before 5am on monday"]
},
Comment on lines +16 to +19
Copy link

@claude claude bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Lock File Maintenance: Great addition!

What this does:

  • Regenerates uv.lock file even when no dependency versions change
  • Updates transitive dependencies (dependencies of dependencies)
  • Runs Monday mornings before European business hours

Why separate from updates:

  • Lock file regeneration can happen without changing pyproject.toml
  • Prevents conflict with version update PRs
  • Monday schedule means fresh lock file for the week

Medical device benefit: Ensures dependency resolution is fresh and reproducible across dev/staging/production environments.

"packageRules": [
{
"groupName": "minor and patch dependencies",
"matchManagers": ["pep621"],
"matchUpdateTypes": ["minor", "patch"]
},
{
"groupName": "GitHub Actions",
"matchManagers": ["github-actions"],
"separateMajorMinor": false
}
]
Comment on lines +20 to 31
Copy link

@claude claude bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Smart Grouping Strategy: These package rules demonstrate best practices:

1. Python Dependencies Grouping (lines 21-25):

  • Groups only minor and patch updates together
  • Why this is safe: Semver guarantees these are non-breaking changes
  • Benefit: Reduces PR noise while keeping major updates separate for careful review
  • Example: If 5 packages have patch updates, you get 1 PR instead of 5

2. GitHub Actions Grouping (lines 26-30):

  • Groups ALL GitHub Actions updates (including major versions)
  • separateMajorMinor: false - intentional choice
  • Why this works: Actions are typically backwards compatible, and failures are caught in CI
  • Benefit: Workflow dependencies stay in sync

This approach balances convenience with safety - well done! 🎯

}
3 changes: 1 addition & 2 deletions specifications/SPEC-BUILD-CHAIN-CICD-SERVICE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,7 @@ The Build Chain and CI/CD Module shall:
│ ├── _docker-publish.yml # Container image publishing
│ ├── _codeql.yml # GitHub CodeQL security analysis
│ └── _ketryx_report_and_check.yml # Compliance reporting
├── copilot-instructions.md # AI pair programming guidelines
└── dependabot.yml # Automated dependency updates
└── copilot-instructions.md # AI pair programming guidelines
Copy link

@claude claude bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Accurate Documentation: Great attention to detail!

The specification now correctly reflects that dependabot.yml has been removed. This kind of documentation hygiene is especially important in medical device software where specifications must accurately reflect implementation.

Note: Dependabot still runs for security alerts (GitHub's default behavior), just not for version updates anymore. This is the right architectural decision.


Makefile # Local development task orchestration
noxfile.py # Python environment management and task automation
Expand Down
Loading