Configure Renovate

[renovate-bot]

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

---

Detected Package Files

• .github/workflows/build.yml (github-actions)
• .github/workflows/wrapper.yml (github-actions)
• gradle.properties (gradle)
• settings.gradle (gradle)
• build.gradle (gradle)
• gradle/formatting.gradle (gradle)
• gradle/wrapper/gradle-wrapper.properties (gradle-wrapper)

Configuration

🔡 Renovate has detected a custom config for this PR. Feel free to ask for help if you have any doubts and would like it reviewed.

Important: Now that this branch is edited, Renovate can't rebase it from the base branch any more. If you make changes to the base branch that could impact this onboarding PR, please merge them manually.

What to Expect

With your current configuration, Renovate will create 7 Pull Requests:

Update codecov/codecov-action action to v3.1.1

• Schedule: ["at any time"]
• Branch name: renovate/codecov-codecov-action-3.x
• Merge into: main
• Upgrade codecov/codecov-action to v3.1.1

Update dependency org.apache.lucene:lucene-core to v9.4.2

• Schedule: ["at any time"]
• Branch name: renovate/luceneversion
• Merge into: main
• Upgrade org.apache.lucene:lucene-core to 9.4.2

Update jacksonDatabindVersion to v2.14.1

• Schedule: ["at any time"]
• Branch name: renovate/jacksondatabindversion
• Merge into: main
• Upgrade com.fasterxml.jackson.datatype:jackson-datatype-guava to 2.14.1
• Upgrade com.fasterxml.jackson.datatype:jackson-datatype-jsr310 to 2.14.1
• Upgrade com.fasterxml.jackson.dataformat:jackson-dataformat-yaml to 2.14.1
• Upgrade com.fasterxml.jackson.core:jackson-databind to 2.14.1

Update dependency gradle to v7.6

• Schedule: ["at any time"]
• Branch name: renovate/gradle-7.x
• Merge into: main
• Upgrade gradle to 7.6

Update plugin com.diffplug.spotless to v6.12.0

• Schedule: ["at any time"]
• Branch name: renovate/com.diffplug.spotless-6.x
• Merge into: main
• Upgrade com.diffplug.spotless to 6.12.0

Update actions/checkout action to v3

• Schedule: ["at any time"]
• Branch name: renovate/actions-checkout-3.x
• Merge into: main
• Upgrade actions/checkout to v3

Update actions/setup-java action to v3

• Schedule: ["at any time"]
• Branch name: renovate/actions-setup-java-3.x
• Merge into: main
• Upgrade actions/setup-java to v3

🚸 Branch creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or spam the project. See docs for prhourlylimit for details.

---

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.

---

This PR has been generated by Mend Renovate. View repository job log here.

[dbwiddis]

I'll move this to .github directory and tweak the config later this week.

[codecov-commenter]

Codecov Report

Merging #256 (132a30a) into main (a0a9c30) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##               main     #256   +/-   ##
=========================================
  Coverage     72.79%   72.79%           
  Complexity      128      128           
=========================================
  Files            28       28           
  Lines           566      566           
  Branches         16       16           
=========================================
  Hits            412      412           
  Misses          145      145           
  Partials          9        9           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[owaiskazi19]

@dbwiddis do we have any issue for Renovate? Just trying to understand what does it do differently than dependabot? Also, we need to add DCO check for it.

[dbwiddis]

@dbwiddis do we have any issue for Renovate? Just trying to understand what does it do differently than dependabot? Also, we need to add DCO check for it.

I tried to force-push with a DCO but then it force pushed over my force push!

I'll try another tactic tonight.

As for what it does differently:

• has a "pending" dashboard issue you can look at to see what updates will be coming if you want to selectively trigger an earlier PR
• or you can just leave it to trigger a PR immediately when it sees an update and it's therefore faster than dependabot
• easier to track overrides without manually updating config files
• it's open source with free management tools, dependabot is closed source privately owned with paid management tools

[dbwiddis]

@dbwiddis do we have any issue for Renovate?

@owaiskazi19 this was originally requested in #185 but took a while to get approved. See the comments on that issue for why I think it's a better choice than dependabot (which I will remove in a separate PR once this is merged).

See also opensearch-project/.github#97 where I will eventually outline this as one of two good options for dependency management that repos should consider.

Just trying to understand what does it do differently than dependabot?

At its core it does "the same thing" but having run both side by side on my own project during transition:

• Renovate is faster
• Renovate covers more (we've had dependabot up for a few weeks and there are 6 pending PRs that Renovate would have found: GHA versions, gradle wrapper version, and updates from this week in 2 of our dependencies that we'll eventually see)
• Dependabot doesn't give any visibility into "pending" updates, just runs however often you want (daily or weekly, etc.) while Renovate will update as soon as a few hours after new versions are published. You can let it create the PR or just auto-update a standing issue that shows you all the pending versions and you can manually request a PR with a mouse click.
• Renovate lets you batch versions together (less an issue for us but it's a feature that dependabot doesn't have).
• Renovate has an automerge function I employ on my own repo (that we won't use here)
• Renovate and its management features described above are open source. Dependabot is closed source and provides basic features and charges money for better management features. Sound familiar? :)

[dbwiddis]

Just trying to understand what does it do differently than dependabot?

One other thing I really like is that the PRs have a status on % adoption and % passing tests from others who have merged the update. When there is (rarely) a breaking change in a plugin that causes everyone's tests to fail, this will catch it and help you avoid (or at least quickly identify that you are not alone) the inevitable test failures.

[owaiskazi19]

Thanks @dbwiddis for bringing this up. I didn't know Renovate has better advantages than dependabot. One last thing we need to do is to add the DCO check for Renovate. Should we do it as a part of this PR or open an issue for the same?
We have DCO check passing for dependabot's PR on OpenSearch.
Also, if we are moving ahead with Renovate should we remove dependabot for the repo?

[dbwiddis]

I didn't know Renovate has better advantages than dependabot.

It is a subjective opinion. For us it's less important; I really think the main project needs this and having it here will give them something to look at as a demo.

One last thing we need to do is to add the DCO check for Renovate.

Added the :gitSignoff preset. By default it already included "Co-authored-by" which passes DCO check on my other repo.

Also, if we are moving ahead with Renovate should we remove dependabot for the repo?

Already added to this PR in 132a30a

[owaiskazi19]

Already added to this PR in 132a30a

Missed this.

[forking-renovate]

Renovate is disabled

Renovate is disabled because there is no Renovate configuration file. To enable Renovate, you can either (a) change this PR's title to get a new onboarding PR, and merge the new onboarding PR, or (b) create a Renovate config file, and commit that file to your base branch.