This repository contains the following shared configurations for Renovate, a tool to automate dependency updates which would be available as a shareable preset.
- A default
renovate-config.json
file for general use in all repositories.
By calling the file renovate-config.json
and placing it in this repository, we can take advantage of Renovate
detecting this, allowing easy
onboarding for
repositories.
The default configuration has the following goals for a shared preset:
- a single PR for anything non-major that doesn't fit the current version constraints. (e.g. coding standards)
- a PR for any new majors grouped by org.
- otherwise, the lockfile is updated and automatically merged once tests pass, opening a PR only if those fail.
Once the Mend Renovate GitHub app is enabled for a repository, a new Configure Renovate
PR will be opened
containing a basic renovate.json
file with the following contents:
{
"extends": [
"local>lm-commons/.github:renovate-config"
]
}
In order to be fully compatible with this Renovate configuration, you must ensure the following criteria are met:
- CI actions are enabled for
push
events on branches with the prefixrenovate/*
. - The lockfile must have been generated using Composer with a version
>=2.2
. - Lastly, for Renovate to detect the correct version of PHP to use for lockfile maintenance, the PHP version must be
set in
composer.json
under the keyconfig.platform.php
.
Using primarily the inbuilt shared presets, this allows us to somewhat overcome the need to upgrade our configuration as
often when Renovate updates a major version. Take for example: ":automergeDisabled"
, this will add the configuration
"automerge": false
. Should Renovate update this in a major version bump, they will also update the preset. So where
possible presets have been chosen.
"extends": [
":dependencyDashboard",
":ignoreModulesAndTests",
":automergeMinor",
":automergeBranch",
":rebaseStalePrs",
":semanticCommitsDisabled",
":separateMajorReleases",
":combinePatchMinorReleases",
":enableVulnerabilityAlerts",
":timezone(UTC)",
":gitSignOff",
":label(renovate)",
"group:allNonMajor"
],
- :dependencyDashboard - This will open a persistent issue in each repository to allow easy tracking of all Renovate updates.
- :ignoreModulesAndTests - This ensures
Renovate does not try to update
composer.json
insidetests/
,vendor/
etc. - :automergeMinor - Automatically merge non-major updates of updates by default.
- :automergeBranch - But set the default automatic
merge type to be
branch
meaning a PR is only opened on failure. - :rebaseStalePrs - Any PRs previously opened by Renovate will be automatically rebased should they fall behind.
- :semanticCommitsDisabled - Disable semantic prefixes for commit messages and PR titles.
- :separateMajorReleases - Any new major releases for a package will be separated into its own update.
- :combinePatchMinorReleases - Patch and minor releases for a single package will be combined to a single update.
- :enableVulnerabilityAlerts - Open a PR should the repository have any vulnerability alerts (see below).
- :timezone(UTC) - Not strictly necessary but ensures schedules use the UTC timezone.
- :gitSignOff - DCO requires all commits to be signed off.
- :label(renovate) - Add the label
renovate
to any PRs. - group:allNonMajor - Any non-major updates will be grouped into a single update.
From https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts:
Renovate can read from GitHub's Vulnerability Alerts and customize Pull Requests accordingly. For this to work, you must first ensure you have enabled "Dependency graph" and "Dependabot alerts" under the "Security & analysis" section of the repository's "Settings" tab.
Additionally, if you are running Renovate in app mode then you must make sure that the app has been granted the permissions to read "Vulnerability alerts". If you are the account admin, browse to the app (e.g. https://github.com/apps/renovate), select "Configure", and then scroll down to the "Permissions" section and verify that read access to "vulnerability alerts" is mentioned.
Once the above conditions are met, and you have received one or more vulnerability alerts from GitHub for this repository, then Renovate will attempt to raise fix PRs accordingly.
"commitBodyTable": true,
"lockFileMaintenance": {"enabled": true, "extends": ["schedule:weekly"]},
"platformAutomerge": true,
"prFooter": "[Read more information](https://github.com/lm-commoms/.github/blob/master/RENOVATE.md) about the use of [Renovate Bot](https://github.com/renovatebot/renovate) within LM-Commons.",
"rangeStrategy": "replace",
"rollbackPrs": true,
"vulnerabilityAlerts": {
"extends": [":automergeDisabled", ":automergePr", ":labels(Awaiting Maintainer Response, security)"],
"rangeStrategy": "bump"
}
- commitBodyTable - Adds a table to the commit message describing all updates in the commit.
- lockFileMaintenance - Lockfile maintenance should be performed during the scheduled run.
- platformAutomerge - Use GitHub's merging features, falling back to Renovate's own merging methods.
- prFooter - The text here will be set as the footer to any PR opened by Renovate.
- rangeStrategy - Setting this to
replace
ensures that PRs are only created once the new release falls outside the version constraints insidecomposer.json
. - rollbackPrs - A rare occurrence, but should a package become revoked, a PR to downgrade the package will be created.
- vulnerabilityAlerts - Vulnerability
alerts, enabled by a previous preset, will use a
rangeStrategy
ofupdate-lockfile
by default. This ensures thatcomposer.json
files are updated also, and that manual intervention is required by the maintainer to tag a new minor.
"packageRules": [
{"matchDepTypes": ["require"], "rangeStrategy": "widen"},
{"matchPackagePatterns": ["^laminas/"], "groupSlug": "laminas", "groupName": "all Laminas packages"},
{"matchPackagePatterns": ["^laminas-api-tools/"], "groupSlug": "laminas-api-tools", "groupName": "all Laminas API Tools packages"},
{"matchPackagePatterns": ["^mezzio/"], "groupSlug": "mezzio", "groupName": "all Mezzio packages"},
{
"matchPackageNames": ["php"],
"allowedVersions": "^8.0"
"extends": [":automergeDisabled", ":automergePr", ":label(Awaiting Maintainer Response)"],
"ignoreUnstable": false,
"groupName": "PHP"
}
]
The first of these package rules will ensure that non-development dependency version constraints are widened when a newer version is available outside them. Widening the range of a development dependency makes little sense.
replace
Replace the range with a newer one if the new version falls outside it, and update nothing otherwise.widen
Widen the range with newer one, e.g.^1.0.0
->^1.0.0 || ^2.0.0
.
Although not necessary, this will group updates from each of these organizations into a single update. Combined with the rules from above, this will usually only occur for new major releases.
The final package rule will allow us to use renovate to automate PHP upgrades. By extending the relevant presets, these PRs are not automatically merged, even if all checks are green, and additionally they will be assigned the label "Awaiting Maintainer Response". The allowedVersions setting tells renovate which PHP versions it's allowed to upgrade to, whilst ignoreUnstable allows renovate to propose updates for unreleased PHP versions (e.g. 8.2.0-rc1).
"packageRules": [
{"matchPackagePatterns": ["*"], "enabled": false},
{"matchPackageNames": ["php"], "enabled": true}
]
The first rule will disable all updates that aren't lockfile maintenance (disabled above) or vulnerability alerts (which we want to keep). Then with the second rule, we allow updates again but only for PHP.
The Renovate config for LM-Commons originates from the Laminas project Renovate config.
Renovate on GitHub Renovate Documentation Mend Renovate website Mend Renovate GitHub app