Skip to content

chore: tighten renovate config and add comments#38558

Open
feanil wants to merge 1 commit intomasterfrom
feanil/update_renovate_config
Open

chore: tighten renovate config and add comments#38558
feanil wants to merge 1 commit intomasterfrom
feanil/update_renovate_config

Conversation

@feanil
Copy link
Copy Markdown
Contributor

@feanil feanil commented May 6, 2026
edited
Loading

Motivation

Renovate was generating a lot of PR churn — constantly rebasing open PRs and automerging 3rd party dependency updates without review. This created two problems:

  1. Noise: PRs for major/breaking upgrades were being repeatedly rebased, cluttering the commit history and notification feeds with updates that weren't actionable.
  2. Security: Automatically merging 3rd party packages without a waiting period is a supply chain risk — it leaves no window for malicious releases or early critical bugs to be detected and reported before they land in our codebase.

Changes

  • rebaseWhen: 'never' — stops Renovate from auto-rebasing PRs; humans decide when to rebase
  • minimumReleaseAge: '3 days' — adds a buffer between a package release and Renovate opening a PR, giving the community time to detect malicious or broken releases
  • Automerge restricted to @edx/@openedx scopes — removes the broad devDependencies automerge rule and the :automergeMinor preset; 3rd party packages now require human review before merging. Linters and testers (via :automergeLinters/:automergeTesters) remain automerged as they are low-risk.
  • Inline comments added throughout so the intent of each setting is clear to future editors

@feanil @claude
chore: tighten renovate config and add comments
fd85691 
- Remove :automergeMinor preset and devDependencies automerge rule;
  automerge is now limited to @edx/@openedx scoped packages plus
  linters/testers from the existing presets
- Add rebaseWhen: 'never' to stop Renovate from auto-rebasing PRs
- Add minimumReleaseAge: '3 days' to allow time for early bugs and
  supply chain attacks to be detected before opening PRs
- Add inline comments explaining each setting

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@feanil feanil requested review from a team and kdmccormick May 6, 2026 13:52
@feanil feanil marked this pull request as ready for review May 6, 2026 13:53
feanil
feanil commented May 6, 2026
View reviewed changes
Comment thread .github/renovate.json5
'config:recommended',
'schedule:weekly',
':automergeLinters',
':automergeMinor',
Copy link
Copy Markdown
Contributor Author

@feanil feanil May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This setting is dropped.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kdmccormick kdmccormick Awaiting requested review from kdmccormick

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@feanil