Skip to content

add renovatebot and codeowners#10538

Merged
joshuafernandes merged 11 commits intomasterfrom
renovatebot
Apr 16, 2026
Merged

add renovatebot and codeowners#10538
joshuafernandes merged 11 commits intomasterfrom
renovatebot

Conversation

@joshuafernandes
Copy link
Copy Markdown
Contributor

@joshuafernandes joshuafernandes commented Mar 27, 2026
edited by cursor Bot
Loading

PR Description

add renovatebot

Note

Medium Risk
Mostly CI/configuration changes, but it alters GitHub Actions permissions and adds a Renovate workflow that runs with app credentials/secrets, so misconfiguration could impact repo automation and security posture.

Overview
Adds Renovate automation by introducing a scheduled/manual renovatebot GitHub Actions workflow plus renovate.json rules to manage updates for GitHub Actions, Gradle (deps + wrapper), and Dockerfiles (grouped PRs, 7-day minimum age, and action digest pinning).

Introduces CODEOWNERS for default ownership and explicit owners for .github/workflows/, and updates CI workflows to use least-privilege permissions (global read-all in ci.yml with explicit checks: write for test report jobs; removes unnecessary actions: write from cla.yml).

Reviewed by Cursor Bugbot for commit b0fba0f. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed Mar 27, 2026
View reviewed changes
Comment thread renovate.json
cursor[bot]
cursor Bot reviewed Apr 14, 2026
View reviewed changes
Comment thread .github/workflows/renovatebot.yml
cursor[bot]
cursor Bot reviewed Apr 14, 2026
View reviewed changes
Comment thread .dependabot.yml Outdated
Comment thread .github/dependabot.yml Outdated
@joshuafernandes joshuafernandes changed the title add renovatebot add renovatebot, dependabot and codeowners Apr 14, 2026
cursor[bot]
cursor Bot reviewed Apr 14, 2026
View reviewed changes
Comment thread .github/workflows/renovatebot.yml
@joshuafernandes joshuafernandes force-pushed the renovatebot branch 3 times, most recently from 76461fb to 92b2a86 Compare April 14, 2026 03:11
@StefanBratanov
Copy link
Copy Markdown
Contributor

StefanBratanov commented Apr 14, 2026

What is the point of dependabot if we have renovateBot?

@joshuafernandes
Copy link
Copy Markdown
Contributor Author

joshuafernandes commented Apr 14, 2026
edited
Loading

What is the point of dependabot if we have renovateBot?

I'd like to just use renovateBot for the lot but we've got Dependabot as part of GHAS - am waiting to hear from security if we can use one only. In the interim I've split by separation of concerns so renovate does the heavy lifting:

  • Dependabot just alerts now on things,
  • Renovatebot controls the GHA dependencies, gradle, pip etc - the minimumReleaseAge for stability is not available in dependabot

@joshuafernandes joshuafernandes enabled auto-merge (squash) April 14, 2026 22:34
cursor[bot]
cursor Bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 0889a1a. Configure here.

Comment thread renovate.json Outdated
@joshuafernandes joshuafernandes changed the title add renovatebot, dependabot and codeowners add renovatebot and codeowners Apr 16, 2026
@rolfyone
Copy link
Copy Markdown
Contributor

rolfyone commented Apr 16, 2026

id really like to have reasoning when we're adding at the moment, our prs are very unstable with no visibility as to why, and im keen that it doesn't get even worse...

@joshuafernandes
Copy link
Copy Markdown
Contributor Author

joshuafernandes commented Apr 16, 2026

id really like to have reasoning when we're adding at the moment, our prs are very unstable with no visibility as to why, and im keen that it doesn't get even worse...

Which parts are unstable though?

@rolfyone
Copy link
Copy Markdown
Contributor

rolfyone commented Apr 16, 2026

tests fail and need re-running on basically every pr, we're investigating but have lost all the reporting

gfukushima
gfukushima approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gfukushima gfukushima left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pr lgtm

@joshuafernandes joshuafernandes merged commit 5998efd into master Apr 16, 2026
71 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 16, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@gfukushima gfukushima gfukushima approved these changes

@usmansaleem usmansaleem Awaiting requested review from usmansaleem

@lucassaldanha lucassaldanha Awaiting requested review from lucassaldanha

Assignees

@lucassaldanha lucassaldanha

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@joshuafernandes @StefanBratanov @rolfyone @gfukushima @lucassaldanha