Skip to content

Replace projected Dependabot with a repo-global Renovate deps gate (monorepo root)#51

Merged
markmals merged 3 commits into
mainfrom
deps-gate-root
Jun 17, 2026
Merged

Replace projected Dependabot with a repo-global Renovate deps gate (monorepo root)#51
markmals merged 3 commits into
mainfrom
deps-gate-root

Conversation

@markmals

Copy link
Copy Markdown
Owner

Supersedes #42. Lands the local-Renovate dependency gate, reworked to fit the mise-monorepo model that landed on main after #42 was written (members carry no [tools]; the swift family contributes none at all). #42's per-member approach is now architecturally incompatible — web_test.go asserts members have no [tools] — so this implements the gate once, at the repo root.

What changed

wireMonorepo — alongside maintaining the root mise.toml — now wires a single repo-global dependency-update gate, present from the first target add:

  • EnsureRootMiseensureDepsGate merges the gate's [tools] (node, npm:renovate, jq) into the root's single [tools] table (deduped against family pins; never overwrites a user pin) and appends [tasks.deps] (advisory local Renovate dry-run — never opens PRs, always exits 0) + [tasks.check] (repo-wide aggregate).
  • EnsureDepsGateFiles drops renovate.json + scripts/deps-check.sh at the repo root (skip-existing).
  • Sources live at internal/coreassets/templates/monorepo/{renovate.json,deps-check.sh}.

Dependabot removed: the web scaffold's .github/dependabot.yml.tmpl (the only projected Dependabot config) is deleted; web_test.go asserts no dependabot.yml is projected.

Why root-level (vs #42's per-stack)

A monorepo has one root mise.toml and Renovate is ecosystem-agnostic — one root-level scan covers every member (npm, gomod, SwiftPM, Actions, Docker, mise tools). This:

Notes

  • New tomlKey() quotes mise tool-backend keys like npm:renovate (the colon makes the bare form invalid TOML), while the idempotency compare stays on the decoded bare key. Explicitly tested.
  • node = "24" in the gate matches the node family default, so a node repo dedupes to one entry; it only actually pins node in Go/Swift-only repos (which need it to run the Renovate CLI).

Verification

  • mise run ci (build + vet + gofmt + go test ./...) — green.
  • New scaffold unit tests: deps gate injected, idempotent, [tools] created when a family has none, npm:renovate emitted quoted + re-parses, EnsureDepsGateFiles writes + skips-existing + executable script.
  • Monorepo e2e test (real embedded assets): root gets the gate + renovate.json + scripts/deps-check.sh; the member stays gate-free.
  • Golden init trees unaffected (the gate is a target add artifact, not init).

markmals added 2 commits June 16, 2026 19:45
Replaces the (never-merged) per-member Dependabot→Renovate approach with a
single repo-global dependency-update gate wired into the mise-monorepo root,
matching the architecture that landed after that PR was written (members carry
no [tools]; the swift family contributes none at all).

wireMonorepo now, alongside maintaining the root mise.toml:
  - injects the gate's [tools] (node, npm:renovate, jq) into the root's single
    [tools] table (deduped against family pins; never overwrites a user pin),
  - appends [tasks.deps] (advisory local Renovate dry-run — never opens PRs,
    always exits 0) and [tasks.check] (repo-wide aggregate),
  - drops renovate.json + scripts/deps-check.sh at the repo root (skip-existing).

One gate covers every member — Renovate is ecosystem-agnostic — so there's no
per-stack duplication and Swift stacks gain no node tooling of their own.

New tomlKey() quotes mise tool-backend keys like `npm:renovate` (the colon makes
the bare form invalid TOML) while keeping the idempotency comparison on the
decoded bare key. Covered by scaffold unit tests + the monorepo e2e test
(real embedded assets, member stays gate-free).
Remove the web scaffold's .github/dependabot.yml.tmpl (the only projected
Dependabot config) now that dependency updates are handled by the repo-global
Renovate deps gate at the monorepo root. web_test.go asserts no dependabot.yml
is projected.

Docs: usage/github.md, design/github-integration.md, design/mise-monorepo.md and
BACKLOG.md (Pillar 2) now describe the root-level deps gate; the monorepo memory
topic records the tomlKey/npm:renovate quoting gotcha.
Windows file modes carry no Unix executable bit (mode -rw-rw-rw-), so the
exec-bit check failed there. The 0o755 write is still correct on Unix, where the
bash script actually runs.
@markmals markmals merged commit 76141de into main Jun 17, 2026
4 checks passed
@markmals markmals deleted the deps-gate-root branch June 17, 2026 00:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant