fix(renovate): delete shadowing .github/renovate.json5 (the real cause of the artifact failures)#841
Merged
Merged
Conversation
…se of every artifact failure The original Dependabot->Renovate migration config at .github/renovate.json5 was never removed when renovate.json was added at the root (#821/#822). Renovate (and Mend's cached config-file name) kept reading the old file, so weeks of edits to renovate.json were silently ignored while the json5's 14-day minimumReleaseAge broke every uv artifact update (renovate#41624). There was never an org-level Mend config layer — just this forgotten file. One config file now: renovate.json, carrying the low-noise design plus the json5 pieces worth keeping (ngmix pin guard, Actions digest pinning, OSV/ vulnerability automerge, majors behind dashboard approval). All age gates gone — fundamentally incompatible with uv-owned resolution. The '0 days' override from #831 is dropped as moot. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01VZvom4Uzdoz5KbJeG8yhde
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The mystery, solved
For weeks Renovate behaved contrary to
renovate.json— artifact failures on every uv lock update, config edits with no effect. The Mend run log revealed why: Renovate was never readingrenovate.jsonat all. The original Dependabot→Renovate migration config at.github/renovate.json5(223c396) was never deleted when the root config was added, and Renovate's config discovery (plus Mend's cached config-file name) kept using it. ItsminimumReleaseAge: 14 daysis fundamentally incompatible with uv-owned resolution (renovatebot/renovate#41624):uv lockresolves transitives past the gate and the artifact step fails — hence the weekly error emails.What
.github/renovate.json5— one config file, ever.renovate.json: ngmix pin guard (deliberate[tool.uv.sources]tag pin, bot must not touch),helpers:pinGitHubActionDigests, OSV + vulnerability-alert automerge, majors behind explicit dashboard approval."0 days"override, and document the shadowing incident in the config's own description so nobody re-fights this ghost.Expected steady state
One weekly grouped non-major PR that automerges on green CI + weekly lockfile maintenance; security fixes automerge out-of-band; majors wait for a dashboard tick. No artifact errors, no email spam.
🤖 Generated with Claude Code
https://claude.ai/code/session_01VZvom4Uzdoz5KbJeG8yhde