chore: update Renovate config

[olivermeyer]

• Run at any time to avoid "updates are awaiting their schedule" forever
• Enable lock file maintenance
• Group all updates to GitHub Actions (major/minor/patch); group minor/patch updates to Python dependencies

[Copilot]

Pull request overview

Updates the repository’s Renovate configuration to adjust update scheduling, enable lockfile maintenance, and group dependency updates more predictably.

Changes:

• Set Renovate to run on an “at any time” schedule to avoid queued updates waiting on a schedule window.
• Enable lock file maintenance on a weekly schedule.
• Add package rules to group minor/patch Python dependency updates and all GitHub Actions updates.

[Copilot]

enabledManagers restricts Renovate to only pep621 and github-actions. This is a functional change from the previous config (which would have allowed Renovate to update other ecosystems in the repo like Docker/compose, pre-commit, etc.). If the intent is only grouping/scheduling (per PR description), consider removing enabledManagers or expanding it to include the managers you still want Renovate to maintain.

[Copilot]

This config enables Renovate updates for pep621 (Python) and github-actions, but the repo also has Dependabot configured for pip and github-actions (see .github/dependabot.yml). Unless one bot is disabled or scopes are separated, this will likely result in duplicate dependency PRs and extra CI load.

[claude]

Claude finished @olivermeyer's task in 1m 27s —— View job

---

Review Complete ✅

• Read repository documentation (CLAUDE.md files)
• Review renovate.json changes
• Check for Dependabot configuration conflicts
• Analyze CI/CD impact
• Provide comprehensive review feedback

---

Summary

This PR updates the Renovate configuration with good intentions but has one critical blocking issue that must be resolved before merging.

🚨 BLOCKING ISSUE

Renovate and Dependabot Overlap - Both bots are now configured to manage the same dependencies, which will result in:

• Duplicate PRs for the same dependency updates
• Increased CI/CD load (double the test runs)
• Maintenance burden (closing duplicate PRs)
• Potential race conditions when both try to update simultaneously

Current State:

• Renovate (this PR): Manages pep621 (Python) and github-actions
• Dependabot (.github/dependabot.yml): Manages pip (Python) and github-actions

📋 Review Findings

✅ What's Good

1. Schedule Change ("at any time") - Excellent improvement

   • Prevents "updates are awaiting their schedule" bottleneck
   • Renovate can now respond to vulnerabilities immediately
   • Aligns with CI/CD strategy (PRs auto-labeled with skip:test:long_running)

2. Lock File Maintenance - Critical for uv-based repository

   • Weekly schedule (Monday 5 AM) is well-chosen
   • Catches transitive dependency updates
   • Important for medical device security compliance

3. Dependency Grouping - Smart strategy

   • Minor/patch Python updates grouped → less PR noise
   • All GitHub Actions updates grouped → easier workflow maintenance
   • Major updates still come individually → proper breaking change review

4. Label Configuration - Perfect alignment with CI/CD

   • skip:test:long_running reduces CI time
   • skip:codecov avoids coverage noise from dependency updates

⚠️ Issues Found

1. BLOCKING: Dependabot Conflict

Location: renovate.json (entire file) vs .github/dependabot.yml

Issue: Both Renovate and Dependabot are configured to manage:

• Python dependencies (pep621 in Renovate = pip in Dependabot)
• GitHub Actions

Impact:

• Duplicate PRs for every dependency update
• Wasted CI resources (each bot triggers full test suite)
• Confusion about which bot to use

Fix Options:

Option A: Disable Dependabot (Recommended)

# Remove or disable .github/dependabot.yml
git rm .github/dependabot.yml
git commit -m "chore: switch from Dependabot to Renovate"

Option B: Partition Responsibilities

# In renovate.json - only handle GitHub Actions
"packageRules": [
  {
    "groupName": "GitHub Actions",
    "matchManagers": ["github-actions"],
    "separateMajorMinor": false
  }
]

# Remove the pep621 rule (let Dependabot handle Python)

Option C: Disable Renovate for Python

{
  "packageRules": [
    {
      "matchManagers": ["pep621"],
      "enabled": false
    }
  ]
}

Recommendation: Option A - Renovate is more feature-rich and better suited for this repository:

• Lock file maintenance support (critical for uv)
• Better grouping capabilities
• More flexible scheduling
• Single bot to maintain

2. SUGGESTION: Removed ignorePaths Without Explanation

Location: renovate.json:13-15 (removed lines)

Issue: The previous config had:

"ignorePaths": [
  "plugins/manifest/package.json"
]

This was removed in this PR. If plugins/manifest/package.json no longer exists, this is fine. If it still exists and should be ignored, this is a behavior change.

Verify:

ls plugins/manifest/package.json 2>/dev/null && echo "File exists - should it be ignored?" || echo "File doesn't exist - removal is safe"

3. INFORMATION: No enabledManagers Restriction

Context: Copilot's review flagged the absence of enabledManagers as a potential issue.

Analysis: This is actually correct behavior for this repository:

• The repository only has Python (pep621) and GitHub Actions
• No Docker, pre-commit, or other ecosystems detected
• Renovate will auto-detect available managers
• No need to explicitly restrict

Conclusion: No action needed - current config is appropriate.

---

Action Required

Before merging, you must choose one of the fix options above to resolve the Dependabot/Renovate overlap.

Recommended Steps:

1. Decision: Disable Dependabot (recommended) or partition responsibilities
2. Implement: Apply the chosen fix option
3. Verify: Check that only one bot will manage each ecosystem
4. Document: Update PR description to mention the Dependabot change

After merge, monitor for:

• Only one PR per dependency update
• Lock file maintenance PRs appear on Mondays
• Grouped updates work as expected

---

CI/CD Compatibility ✅

The Renovate configuration is fully compatible with the repository's CI/CD strategy:

• ✅ skip:test:long_running label reduces CI time (~15 min instead of ~30 min)
• ✅ skip:codecov prevents coverage noise
• ✅ Lock file maintenance aligns with security audit requirements
• ✅ Grouping reduces PR volume (important for medical device compliance tracking)

---

Additional Notes

Medical Device Context: This repository is FDA/MDR regulated medical device software. Dependency management is critical for:

• Security compliance: Regular updates catch CVEs
• Audit trail: Every dependency change must be traceable
• Lock file integrity: uv.lock must stay fresh for reproducible builds

The lock file maintenance feature is essential for this use case.

Testing: Since this is a configuration file change, no tests or linting are required. However, after merging:

1. Wait for first Renovate PR
2. Verify it has correct labels
3. Verify no duplicate Dependabot PR appears
4. Verify lock file maintenance PR appears on Monday

---

| Branch: chore/renovate-groups

[claude]

Excellent addition! 👍

Grouping minor and patch updates significantly reduces PR noise while maintaining safety:

• ✅ Major updates: Still come as individual PRs (easier to review breaking changes)
• ✅ Minor/Patch updates: Grouped together (faster review, less context switching)

This aligns well with the repository's CI/CD strategy where:

• All PRs get skip:test:long_running label (line 10)
• Fast feedback loop (~15 min for lint + audit + regular tests)
• Comprehensive validation before merge

Tip: If grouped PRs become too large, consider adding separateMajorMinor: true to split minor from patch, but current config is optimal for this repository size.

[claude]

Great addition! 🔧

Lock file maintenance is a critical feature for repositories using uv:

What it does:

• Updates uv.lock even when no direct dependencies changed
• Picks up transitive dependency updates
• Ensures lockfile stays fresh and secure

Schedule rationale:

• ✅ Monday 5 AM: Runs after main schedule, catches transitive updates from weekend
• ✅ Weekly frequency: Balanced between freshness and PR volume
• ✅ Early morning: Gives team full workday to review if issues arise

Benefits for this medical device SDK:

1. Security: Transitive CVE fixes applied automatically
2. Reproducibility: Fresh lock file prevents drift
3. Compliance: Audit trail of all dependency changes (including indirect)

This is especially important given the SDK's security posture (HIPAA compliance, medical data handling).

[olivermeyer]

Closing as this requires a change to SPEC-BUILD-CHAIN-CICD-SERVICE.md

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 6 files with indirect coverage changes

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud