Skip to content

fix(renovate): delete shadowing .github/renovate.json5 (the real cause of the artifact failures)#841

Merged
cailmdaley merged 1 commit into
developfrom
chore/renovate-single-config
Jul 15, 2026
Merged

fix(renovate): delete shadowing .github/renovate.json5 (the real cause of the artifact failures)#841
cailmdaley merged 1 commit into
developfrom
chore/renovate-single-config

Conversation

@cailmdaley

Copy link
Copy Markdown
Contributor

The mystery, solved

For weeks Renovate behaved contrary to renovate.json — artifact failures on every uv lock update, config edits with no effect. The Mend run log revealed why: Renovate was never reading renovate.json at all. The original Dependabot→Renovate migration config at .github/renovate.json5 (223c396) was never deleted when the root config was added, and Renovate's config discovery (plus Mend's cached config-file name) kept using it. Its minimumReleaseAge: 14 days is fundamentally incompatible with uv-owned resolution (renovatebot/renovate#41624): uv lock resolves transitives past the gate and the artifact step fails — hence the weekly error emails.

What

  • Delete .github/renovate.json5 — one config file, ever.
  • Merge its keep-worthy pieces into renovate.json: ngmix pin guard (deliberate [tool.uv.sources] tag pin, bot must not touch), helpers:pinGitHubActionDigests, OSV + vulnerability-alert automerge, majors behind explicit dashboard approval.
  • Drop all age gates including chore(renovate): explicitly zero minimumReleaseAge to override Mend org layer #831's now-moot "0 days" override, and document the shadowing incident in the config's own description so nobody re-fights this ghost.

Expected steady state

One weekly grouped non-major PR that automerges on green CI + weekly lockfile maintenance; security fixes automerge out-of-band; majors wait for a dashboard tick. No artifact errors, no email spam.

🤖 Generated with Claude Code

https://claude.ai/code/session_01VZvom4Uzdoz5KbJeG8yhde

…se of every artifact failure

The original Dependabot->Renovate migration config at .github/renovate.json5
was never removed when renovate.json was added at the root (#821/#822).
Renovate (and Mend's cached config-file name) kept reading the old file, so
weeks of edits to renovate.json were silently ignored while the json5's
14-day minimumReleaseAge broke every uv artifact update (renovate#41624).
There was never an org-level Mend config layer — just this forgotten file.

One config file now: renovate.json, carrying the low-noise design plus the
json5 pieces worth keeping (ngmix pin guard, Actions digest pinning, OSV/
vulnerability automerge, majors behind dashboard approval). All age gates
gone — fundamentally incompatible with uv-owned resolution. The '0 days'
override from #831 is dropped as moot.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VZvom4Uzdoz5KbJeG8yhde
@cailmdaley cailmdaley merged commit a49c669 into develop Jul 15, 2026
2 checks passed
@cailmdaley cailmdaley deleted the chore/renovate-single-config branch July 15, 2026 21:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant