From 28e254dcbd7ccedb8c433fa377c5f8d7c8cf64ae Mon Sep 17 00:00:00 2001 From: luckyPipewrench Date: Wed, 24 Jun 2026 21:22:45 -0400 Subject: [PATCH 1/2] chore: batch Renovate weekly to cut dependency PR volume --- renovate.json | 70 ++++++++------------------------------------------- 1 file changed, 11 insertions(+), 59 deletions(-) diff --git a/renovate.json b/renovate.json index 25d1f45..d9e72ad 100644 --- a/renovate.json +++ b/renovate.json @@ -1,66 +1,18 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ - "config:recommended", - ":semanticCommits", - ":maintainLockFilesWeekly" - ], + "extends": ["config:recommended", ":semanticCommits"], "minimumReleaseAge": "10 days", "internalChecksFilter": "strict", - "labels": [ - "dependencies" - ], - "prConcurrentLimit": 10, - "vulnerabilityAlerts": { - "labels": [ - "security", - "fast-track" - ], - "minimumReleaseAge": "0 days", - "schedule": [ - "at any time" - ] - }, + "prCreation": "not-pending", + "schedule": ["* * * * 1"], + "prConcurrentLimit": 5, + "prHourlyLimit": 2, + "labels": ["dependencies"], + "lockFileMaintenance": { "enabled": false }, + "vulnerabilityAlerts": { "labels": ["security", "fast-track"], "minimumReleaseAge": "0 days", "schedule": ["at any time"] }, "packageRules": [ - { - "matchPackagePatterns": [ - "^luckyPipewrench/", - "^ghcr\\.io/luckypipewrench/" - ], - "minimumReleaseAge": "0 days", - "description": "Own-org packages bypass cooldown (we control the supply chain)" - }, - { - "matchManagers": [ - "github-actions" - ], - "pinDigests": true, - "commitMessagePrefix": "ci:", - "addLabels": [ - "ci" - ], - "groupName": "ci-actions" - }, - { - "matchManagers": [ - "pip_requirements", - "pep621" - ], - "commitMessagePrefix": "deps:", - "addLabels": [ - "python" - ], - "groupName": "pip-deps" - }, - { - "matchUpdateTypes": [ - "major" - ], - "addLabels": [ - "major-update", - "needs-review" - ], - "automerge": false - } + { "description": "Pin GitHub Actions to digests for the OpenSSF Scorecard pinned-dependencies check. Digest-maintenance PRs batch into the weekly group below.", "matchManagers": ["github-actions"], "pinDigests": true }, + { "description": "Collapse every non-major update (minor, patch, digest, pin) into ONE weekly batched PR so PR volume stays low.", "matchUpdateTypes": ["minor", "patch", "digest", "pinDigest", "bump"], "groupName": "weekly dependencies" }, + { "description": "Major updates stay individual and manually reviewed (no automerge), not delayed to the weekly window.", "matchUpdateTypes": ["major"], "addLabels": ["major-update", "needs-review"], "automerge": false, "schedule": ["at any time"] } ] } From 83c2b7ed6c34a901a3d1ec91ff84937b153329de Mon Sep 17 00:00:00 2001 From: luckyPipewrench Date: Wed, 24 Jun 2026 21:36:21 -0400 Subject: [PATCH 2/2] chore: enable osvVulnerabilityAlerts so OSV-database CVEs also fast-track --- renovate.json | 1 + 1 file changed, 1 insertion(+) diff --git a/renovate.json b/renovate.json index d9e72ad..3a6e267 100644 --- a/renovate.json +++ b/renovate.json @@ -9,6 +9,7 @@ "prHourlyLimit": 2, "labels": ["dependencies"], "lockFileMaintenance": { "enabled": false }, + "osvVulnerabilityAlerts": true, "vulnerabilityAlerts": { "labels": ["security", "fast-track"], "minimumReleaseAge": "0 days", "schedule": ["at any time"] }, "packageRules": [ { "description": "Pin GitHub Actions to digests for the OpenSSF Scorecard pinned-dependencies check. Digest-maintenance PRs batch into the weekly group below.", "matchManagers": ["github-actions"], "pinDigests": true },