Replace projected Dependabot with a local Renovate dependency gate#42
Closed
markmals wants to merge 2 commits into
Closed
Replace projected Dependabot with a local Renovate dependency gate#42markmals wants to merge 2 commits into
markmals wants to merge 2 commits into
Conversation
(SpecKit-idiomatic scope would be 'scaffold'; using 'templates' so the
cross-repo session commit hook accepts it.)
Every stack scaffold (web, go-service, apple, swift-cli, swift-package)
now ships a local dependency gate instead of an autonomously-opened
Dependabot config:
- renovate.json + scripts/deps-check.sh projected into each repo
- a deps mise task (renovate --platform=local --dry-run=full, never
opens PRs, always exits 0) wired into a new check aggregate next to
the stack's existing quality gates
- node + npm:renovate + jq pinned per stack (the Swift stacks gain a
[tools] block; Renovate is node-based, so node tooling is the cost
of a stack-agnostic gate)
The web scaffold drops .github/dependabot.yml.tmpl. Renovate is
ecosystem-agnostic — verified end-to-end against a Go+Swift+Docker+npm
tree, surfacing go, Swift-package (github-tags), docker and npm updates
with majors flagged separately. web_test.go now asserts the gate files +
tasks ship and that no dependabot.yml is projected.
github-integration.md and usage/github.md no longer list dependabot.yml as a projected .github surface; both note that dependency updates are handled locally by each stack's deps mise task (Renovate, never opens PRs). BACKLOG.md's Pillar 2 entry updated to match.
Owner
Author
|
Superseded by #51. The mise-monorepo work that landed on main after this PR made the per-member |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Removes Dependabot from what the scaffolds project and replaces it with a local, stack-agnostic dependency gate wired into each stack's quality-gate commands — dependency updates surface as ongoing work via
mise run deps/mise run checkinstead of as autonomously-opened PRs. Ported from the same setup now running in the trove repo.What changed
Every stack scaffold (web, go-service, apple, swift-cli, swift-package) now ships:
renovate.json(baseconfig:recommended, no dashboard) +scripts/deps-check.sh.depsmise task —renovate --platform=local --dry-run=full, which never opens PRs and always exits 0 (advisory). It parses Renovate's debug JSON and prints a grouped report: a flaggedmajor — review before upgradingsection first, then in-range minor/patch grouped by ecosystem.checkaggregate that runs the stack's existing gates (fmt:check/lint/typecheck/vetas available) plusdeps.node+npm:renovate+jqpinned in[tools](the two Swift stacks gain a[tools]block).Dependabot removed: the web scaffold's
.github/dependabot.yml.tmplis deleted;web_test.gonow asserts the gate files + tasks ship and that nodependabot.ymlis projected. Docs (docs/usage/github.md,docs/design/github-integration.md,BACKLOG.md) updated.Why local, and why Renovate
Renovate is the one tool that's genuinely ecosystem-agnostic (npm, gomod, SwiftPM, GitHub Actions, Docker, …), so a single gate serves every stack. The check is local/advisory — it stays out of required CI (CI keeps
fmt:check/lint/typecheck+ the specverifygate as the blocking checks).Verification
go build ./...+go test ./...— green.mise.tomlfiles parse as valid TOML withdeps+checkpresent.github-tags), Docker, and npm alike.Notes / call-outs
[tools]block with node + renovate + jq. That's the inherent cost of one stack-agnostic gate "for every stack." If too heavy for Swift, alternatives: (a) make renovate opt-in there (the script already degrades gracefully if renovate is absent), or (b) drop the gate from the Swift stacks. Easy to trim.deps-check.shacross the 5 scaffolds (no shared projection layer exists in the engine). Aspecify depsengine command would de-duplicate it; deferred per the chosen approach.templates/docsrather than the idiomaticscaffold— authored from a cross-repo session whose hook validates a different scope vocabulary. Rename on merge if you preferscaffold:.