Summary
The Mend.io-hosted org-wide Renovate GitHub App has been unreliable since late April 2026 — last dependency PR landed 2026-04-29 on smartem-frontend, dashboards stale 4-5 weeks on the other two. Visible cost on smartem-decisions: four manually-authored security bumps in 17 days (mako, urllib3, idna, starlette CVEs) that Renovate should have automated.
PRs to restore the self-hosted Renovate workflow (originally dropped 2026-03-25 in #182) are open on the three smartem repos. fandanGO-cryoem-dls excluded from this round.
PRs
Each adds .github/workflows/renovate.yml only. Twice-daily cron (0 4,16 * * *) plus workflow_dispatch. Pins renovatebot/github-action@v46.1.14 (latest as of 2026-05-11). Reads existing renovate.json — no config changes.
Step-by-step (in order)
RENOVATE_TOKEN setup
Open https://github.com/settings/personal-access-tokens/new (fine-grained PAT, NOT classic).
| Field |
Value |
| Token name |
Renovate (SmartEM repos) |
| Expiration |
1 year (max for fine-grained) |
| Resource owner |
vredchenko (your user — DLS org admin not required) |
| Repository access |
Only select repositories → smartem-decisions, smartem-devtools, smartem-frontend |
Repository permissions (everything else: No access):
| Permission |
Level |
| Actions |
Read |
| Contents |
Read and write |
| Issues |
Read and write |
| Metadata |
Read (mandatory, auto-selected) |
| Pull requests |
Read and write |
| Workflows |
Read and write |
Workflows: Read and write is required because Renovate updates .github/workflows/* (the github-actions manager is enabled in renovate/default.json).
Click Generate, copy the token. For each of the three repos: Settings → Secrets and variables → Actions → New repository secret → name RENOVATE_TOKEN, paste value.
PRs Renovate opens will be authored as vredchenko (the PAT identity), not as a bot — this is fine for portfolio repos. To move to a bot identity later, swap the PAT for a GitHub App token; no workflow changes needed.
What about the existing Dependency Dashboard issues (#282, #195, #82)?
Leave them alone. Renovate updates them in place on every run. Once Renovate restarts, each will refresh with current state — checked [x] items on smartem-frontend#82 will be processed (PRs created), stale awaiting-schedule items will be re-evaluated.
Do NOT close them — Renovate may recreate or, in some configurations, treat closure as "disable dashboard for this repo".
Once Renovate is running, pin them on each repo so they're easy to find.
What about the closed "Action Required" issues (#260, #178, #77)?
Already resolved 2026-04-28 (preset path // separator fix). Leave closed. If Renovate fires a new "Action Required" issue after the self-hosted restoration, that's a real signal — investigate immediately.
What this issue does NOT cover
Background
See PR #182 for the original "drop self-hosted" reasoning (sound at the time, didn't pan out empirically). See #172 for the Dependabot→Renovate migration context.
Summary
The Mend.io-hosted org-wide Renovate GitHub App has been unreliable since late April 2026 — last dependency PR landed 2026-04-29 on smartem-frontend, dashboards stale 4-5 weeks on the other two. Visible cost on smartem-decisions: four manually-authored security bumps in 17 days (mako, urllib3, idna, starlette CVEs) that Renovate should have automated.
PRs to restore the self-hosted Renovate workflow (originally dropped 2026-03-25 in #182) are open on the three smartem repos. fandanGO-cryoem-dls excluded from this round.
PRs
Each adds
.github/workflows/renovate.ymlonly. Twice-daily cron (0 4,16 * * *) plusworkflow_dispatch. Pinsrenovatebot/github-action@v46.1.14(latest as of 2026-05-11). Reads existingrenovate.json— no config changes.Step-by-step (in order)
RENOVATE_TOKENsecret to all three repos (same value).osv-scanner-action v2.3.3 → v2.3.5on smartem-decisions/devtools,npm minor/patchgroup on smartem-frontend.RENOVATE_TOKENone year out (fine-grained PAT max lifetime).RENOVATE_TOKEN setup
Open https://github.com/settings/personal-access-tokens/new (fine-grained PAT, NOT classic).
Renovate (SmartEM repos)vredchenko(your user — DLS org admin not required)smartem-decisions,smartem-devtools,smartem-frontendRepository permissions (everything else: No access):
Workflows: Read and writeis required because Renovate updates.github/workflows/*(the github-actions manager is enabled inrenovate/default.json).Click Generate, copy the token. For each of the three repos: Settings → Secrets and variables → Actions → New repository secret → name
RENOVATE_TOKEN, paste value.PRs Renovate opens will be authored as
vredchenko(the PAT identity), not as a bot — this is fine for portfolio repos. To move to a bot identity later, swap the PAT for a GitHub App token; no workflow changes needed.What about the existing Dependency Dashboard issues (#282, #195, #82)?
Leave them alone. Renovate updates them in place on every run. Once Renovate restarts, each will refresh with current state — checked
[x]items on smartem-frontend#82 will be processed (PRs created), stale awaiting-schedule items will be re-evaluated.Do NOT close them — Renovate may recreate or, in some configurations, treat closure as "disable dashboard for this repo".
Once Renovate is running, pin them on each repo so they're easy to find.
What about the closed "Action Required" issues (#260, #178, #77)?
Already resolved 2026-04-28 (preset path
//separator fix). Leave closed. If Renovate fires a new "Action Required" issue after the self-hosted restoration, that's a real signal — investigate immediately.What this issue does NOT cover
Background
See PR #182 for the original "drop self-hosted" reasoning (sound at the time, didn't pan out empirically). See #172 for the Dependabot→Renovate migration context.