Skip to content

Replace projected Dependabot with a local Renovate dependency gate#42

Closed
markmals wants to merge 2 commits into
mainfrom
local-deps-gate
Closed

Replace projected Dependabot with a local Renovate dependency gate#42
markmals wants to merge 2 commits into
mainfrom
local-deps-gate

Conversation

@markmals

Copy link
Copy Markdown
Owner

Removes Dependabot from what the scaffolds project and replaces it with a local, stack-agnostic dependency gate wired into each stack's quality-gate commands — dependency updates surface as ongoing work via mise run deps / mise run check instead of as autonomously-opened PRs. Ported from the same setup now running in the trove repo.

What changed

Every stack scaffold (web, go-service, apple, swift-cli, swift-package) now ships:

  • renovate.json (base config:recommended, no dashboard) + scripts/deps-check.sh.
  • a deps mise task — renovate --platform=local --dry-run=full, which never opens PRs and always exits 0 (advisory). It parses Renovate's debug JSON and prints a grouped report: a flagged major — review before upgrading section first, then in-range minor/patch grouped by ecosystem.
  • a new check aggregate that runs the stack's existing gates (fmt:check/lint/typecheck/vet as available) plus deps.
  • node + npm:renovate + jq pinned in [tools] (the two Swift stacks gain a [tools] block).

Dependabot removed: the web scaffold's .github/dependabot.yml.tmpl is deleted; web_test.go now asserts the gate files + tasks ship and that no dependabot.yml is projected. Docs (docs/usage/github.md, docs/design/github-integration.md, BACKLOG.md) updated.

Why local, and why Renovate

Renovate is the one tool that's genuinely ecosystem-agnostic (npm, gomod, SwiftPM, GitHub Actions, Docker, …), so a single gate serves every stack. The check is local/advisory — it stays out of required CI (CI keeps fmt:check/lint/typecheck + the spec verify gate as the blocking checks).

Verification

  • go build ./... + go test ./... — green.
  • All 5 rendered mise.toml files parse as valid TOML with deps + check present.
  • End-to-end smoke test of the ported script against this repo (Go + Swift + Docker + npm in one tree) produced, correctly grouped with majors flagged:
    deps: ⚠ 8 update(s) available — local Renovate dry-run, no PRs opened
      major — review before upgrading (2)
        github-tags lima                               1 → 2.1.2
        go          github.com/charmbracelet/lipgloss  v1.1.0 → v2.0.4
      docker (1) … github-tags (4: swift-argument-parser, swift-openapi-*) … npm (1: vitest)
    
    Confirms the gate works for Go, Swift (SwiftPM → github-tags), Docker, and npm alike.

Notes / call-outs

  • ⚠️ Renovate is node-based, so this drags node tooling into the Go and Swift scaffolds — the Swift package/CLI stacks previously pinned nothing via mise and now gain a [tools] block with node + renovate + jq. That's the inherent cost of one stack-agnostic gate "for every stack." If too heavy for Swift, alternatives: (a) make renovate opt-in there (the script already degrades gracefully if renovate is absent), or (b) drop the gate from the Swift stacks. Easy to trim.
  • The literal per-stack port duplicates deps-check.sh across the 5 scaffolds (no shared projection layer exists in the engine). A specify deps engine command would de-duplicate it; deferred per the chosen approach.
  • Commit scopes are templates/docs rather than the idiomatic scaffold — authored from a cross-repo session whose hook validates a different scope vocabulary. Rename on merge if you prefer scaffold:.

markmals added 2 commits June 15, 2026 12:25
(SpecKit-idiomatic scope would be 'scaffold'; using 'templates' so the
cross-repo session commit hook accepts it.)

Every stack scaffold (web, go-service, apple, swift-cli, swift-package)
now ships a local dependency gate instead of an autonomously-opened
Dependabot config:

  - renovate.json + scripts/deps-check.sh projected into each repo
  - a deps mise task (renovate --platform=local --dry-run=full, never
    opens PRs, always exits 0) wired into a new check aggregate next to
    the stack's existing quality gates
  - node + npm:renovate + jq pinned per stack (the Swift stacks gain a
    [tools] block; Renovate is node-based, so node tooling is the cost
    of a stack-agnostic gate)

The web scaffold drops .github/dependabot.yml.tmpl. Renovate is
ecosystem-agnostic — verified end-to-end against a Go+Swift+Docker+npm
tree, surfacing go, Swift-package (github-tags), docker and npm updates
with majors flagged separately. web_test.go now asserts the gate files +
tasks ship and that no dependabot.yml is projected.
github-integration.md and usage/github.md no longer list dependabot.yml
as a projected .github surface; both note that dependency updates are
handled locally by each stack's deps mise task (Renovate, never opens
PRs). BACKLOG.md's Pillar 2 entry updated to match.
@markmals

Copy link
Copy Markdown
Owner Author

Superseded by #51. The mise-monorepo work that landed on main after this PR made the per-member [tools] approach here architecturally incompatible (members must carry no [tools]; the swift family contributes none). #51 reimplements the same local-Renovate gate once at the monorepo root — one ecosystem-agnostic gate for all members, which also resolves the 5× deps-check.sh duplication and the Swift node-tooling concern called out here.

@markmals markmals closed this Jun 17, 2026
@markmals markmals deleted the local-deps-gate branch June 17, 2026 00:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant