Skip to content

chore: add renovate config to enable Renovate#121

Open
heskew wants to merge 1 commit into
mainfrom
chore/add-renovate
Open

chore: add renovate config to enable Renovate#121
heskew wants to merge 1 commit into
mainfrom
chore/add-renovate

Conversation

@heskew

@heskew heskew commented Jun 12, 2026

Copy link
Copy Markdown
Member

What

Adds renovate.json so Renovate manages dependency updates on oauth. The repo had no Renovate (or Dependabot) config; this mirrors the canonical setup used by harper and harper-pro, minus their repo-specific package rules.

Config

  • extends: ["config:recommended"]
  • Weekly — before 9am Monday (America/New_York)
  • Semantic commits; prConcurrentLimit: 2; minimumReleaseAge: 7 days; internalChecksFilter: strict
  • automerge: true for grouped minor/patch (excludes 0.x via matchCurrentVersion: "!/^0/"); pinned GitHub Action digests
  • reviewersFromCodeOwners: true → future Renovate PRs request the CODEOWNERS (@HarperFast/developers)

Note the automerge: true — it matches harper. For a security-sensitive auth lib you may want to drop it (or scope it to digests only like harper-pro); easy to adjust here before merge.

Heads-up on app scope

Renovate is already installed across the HarperFast org (active renovate[bot] PRs on harper-pro, studio, agent, create-harper, …). If nothing happens after this merges, the Renovate GitHub App may be scoped to selected repositories — in that case, add oauth under org settings → GitHub Apps → Renovate. I couldn't verify the app's repo scope from here (needs admin:org).

🤖 Generated with Claude Code

@heskew @claude
chore: add renovate config to enable Renovate
ec3f41e 
oauth had no Renovate (or Dependabot) config. Mirror the renovate.json
used by harper / harper-pro so Renovate manages dependency updates here:
config:recommended, weekly Monday-morning ET schedule, semantic commits,
grouped non-major updates with a 7-day minimum release age, and pinned
action digests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 12, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new renovate.json configuration file to manage dependency updates. The reviewer identified a potential risk with the global automerge setting, which would automatically merge major version upgrades. They provided a suggestion to restrict automerging to non-major updates to prevent breaking changes from being automatically merged.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread renovate.json
Comment on lines +10 to +25
"automerge": true,
"reviewersFromCodeOwners": true,
"lockFileMaintenance": { "enabled": false },
"packageRules": [
{
"groupName": "pin digests",
"groupSlug": "all-digests",
"matchDepTypes": ["action"],
"pinDigests": true
},
{
"groupName": "all non-major dependencies",
"groupSlug": "all-minor-patch",
"matchUpdateTypes": ["minor", "patch"],
"matchCurrentVersion": "!/^0/"
}

@gemini-code-assist gemini-code-assist Bot Jun 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Setting "automerge": true at the root level of your Renovate configuration will cause Renovate to automatically merge all dependency updates (including major version upgrades and 0.y.z updates) once they pass tests. For a security-sensitive OAuth library, this is highly risky as major upgrades often introduce breaking changes that might not be fully caught by the test suite.

To mitigate this risk, it is highly recommended to remove "automerge": true from the root level and restrict it only to safe updates, such as non-major dependencies (minor and patch updates for stable versions).

Suggested change
"automerge": true,
"reviewersFromCodeOwners": true,
"lockFileMaintenance": { "enabled": false },
"packageRules": [
{
"groupName": "pin digests",
"groupSlug": "all-digests",
"matchDepTypes": ["action"],
"pinDigests": true
},
{
"groupName": "all non-major dependencies",
"groupSlug": "all-minor-patch",
"matchUpdateTypes": ["minor", "patch"],
"matchCurrentVersion": "!/^0/"
}
"reviewersFromCodeOwners": true,
"lockFileMaintenance": { "enabled": false },
"packageRules": [
{
"groupName": "pin digests",
"groupSlug": "all-digests",
"matchDepTypes": ["action"],
"pinDigests": true
},
{
"groupName": "all non-major dependencies",
"groupSlug": "all-minor-patch",
"matchUpdateTypes": ["minor", "patch"],
"matchCurrentVersion": "!/^0/",
"automerge": true
}

@heskew heskew requested a review from dawsontoth June 12, 2026 14:29
@claude

claude Bot commented Jun 12, 2026

Copy link
Copy Markdown

Reviewed; no blockers found.

@github-actions

github-actions Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

1 blocker found.

1. Global automerge enabled for all updates

File: renovate.json:10
What: The configuration enables automerge: true at the top level, which applies to all dependency updates including major versions and 0.x.x packages.
Why it matters: In 0.x.x versions, minor updates are often breaking, and major updates in stable versions always carry risks. Combined with the project's tsc || true build policy (which allows PRs to pass CI even with type regressions), global automerge could lead to broken code being silently merged into main without human verification.
Suggested fix: Remove automerge: true from the top level (line 10) and move it into the specific packageRules where auto-merging is desired—specifically the all non-major dependencies block (lines 20-25). This ensures that major updates and updates to unstable 0.x.x packages still require manual review.

dawsontoth
dawsontoth reviewed Jun 12, 2026
View reviewed changes

@dawsontoth dawsontoth left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with Gemini :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dawsontoth dawsontoth dawsontoth left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@heskew @dawsontoth