Replace projected Dependabot with a repo-global Renovate deps gate (monorepo root)#51
Merged
Conversation
Replaces the (never-merged) per-member Dependabot→Renovate approach with a
single repo-global dependency-update gate wired into the mise-monorepo root,
matching the architecture that landed after that PR was written (members carry
no [tools]; the swift family contributes none at all).
wireMonorepo now, alongside maintaining the root mise.toml:
- injects the gate's [tools] (node, npm:renovate, jq) into the root's single
[tools] table (deduped against family pins; never overwrites a user pin),
- appends [tasks.deps] (advisory local Renovate dry-run — never opens PRs,
always exits 0) and [tasks.check] (repo-wide aggregate),
- drops renovate.json + scripts/deps-check.sh at the repo root (skip-existing).
One gate covers every member — Renovate is ecosystem-agnostic — so there's no
per-stack duplication and Swift stacks gain no node tooling of their own.
New tomlKey() quotes mise tool-backend keys like `npm:renovate` (the colon makes
the bare form invalid TOML) while keeping the idempotency comparison on the
decoded bare key. Covered by scaffold unit tests + the monorepo e2e test
(real embedded assets, member stays gate-free).
Remove the web scaffold's .github/dependabot.yml.tmpl (the only projected Dependabot config) now that dependency updates are handled by the repo-global Renovate deps gate at the monorepo root. web_test.go asserts no dependabot.yml is projected. Docs: usage/github.md, design/github-integration.md, design/mise-monorepo.md and BACKLOG.md (Pillar 2) now describe the root-level deps gate; the monorepo memory topic records the tomlKey/npm:renovate quoting gotcha.
Windows file modes carry no Unix executable bit (mode -rw-rw-rw-), so the exec-bit check failed there. The 0o755 write is still correct on Unix, where the bash script actually runs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supersedes #42. Lands the local-Renovate dependency gate, reworked to fit the mise-monorepo model that landed on main after #42 was written (members carry no
[tools]; the swift family contributes none at all). #42's per-member approach is now architecturally incompatible —web_test.goasserts members have no[tools]— so this implements the gate once, at the repo root.What changed
wireMonorepo— alongside maintaining the rootmise.toml— now wires a single repo-global dependency-update gate, present from the firsttarget add:EnsureRootMise→ensureDepsGatemerges the gate's[tools](node,npm:renovate,jq) into the root's single[tools]table (deduped against family pins; never overwrites a user pin) and appends[tasks.deps](advisory local Renovate dry-run — never opens PRs, always exits 0) +[tasks.check](repo-wide aggregate).EnsureDepsGateFilesdropsrenovate.json+scripts/deps-check.shat the repo root (skip-existing).internal/coreassets/templates/monorepo/{renovate.json,deps-check.sh}.Dependabot removed: the web scaffold's
.github/dependabot.yml.tmpl(the only projected Dependabot config) is deleted;web_test.goasserts nodependabot.ymlis projected.Why root-level (vs #42's per-stack)
A monorepo has one root
mise.tomland Renovate is ecosystem-agnostic — one root-level scan covers every member (npm, gomod, SwiftPM, Actions, Docker, mise tools). This:deps-check.shduplication Replace projected Dependabot with a local Renovate dependency gate #42 flagged,Notes
tomlKey()quotes mise tool-backend keys likenpm:renovate(the colon makes the bare form invalid TOML), while the idempotency compare stays on the decoded bare key. Explicitly tested.node = "24"in the gate matches the node family default, so a node repo dedupes to one entry; it only actually pins node in Go/Swift-only repos (which need it to run the Renovate CLI).Verification
mise run ci(build + vet + gofmt +go test ./...) — green.[tools]created when a family has none,npm:renovateemitted quoted + re-parses,EnsureDepsGateFileswrites + skips-existing + executable script.renovate.json+scripts/deps-check.sh; the member stays gate-free.target addartifact, notinit).