Skip to content

Configure Renovate#238

Merged
toanju merged 3 commits into
mainfrom
renovate/configure
Jun 11, 2026
Merged

Configure Renovate#238
toanju merged 3 commits into
mainfrom
renovate/configure

Conversation

@renovate

@renovate renovate Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

📚 See our Reading List for relevant documentation you may be interested in reading.

🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to renovate.json in this branch. Renovate will update the Pull Request description the next time it runs.

Detected Package Files

  • .github/workflows/dev.yml (github-actions)
  • .github/workflows/nightly.yaml (github-actions)
  • .github/workflows/test.yml (github-actions)
  • .github/workflows/upload_oci.yml (github-actions)

Configuration Summary

Based on the default config's presets, Renovate will:

  • Start dependency updates only once this onboarding PR is merged
  • Hopefully safe environment variables to allow users to configure.
  • Show all Merge Confidence badges for pull requests.
  • Enable Renovate Dependency Dashboard creation.
  • Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
  • Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
  • Group known monorepo packages together.
  • Use curated list of recommended non-monorepo package groupings.
  • Show only the Age and Confidence Merge Confidence badges for pull requests.
  • Apply crowd-sourced package replacement rules.
  • Apply crowd-sourced workarounds for known problems with packages.
  • Ensure that every dependency pinned by digest and sourced from Forgejo contains a link to the commit-to-commit diff
  • Ensure that every dependency pinned by digest and sourced from Gitea contains a link to the commit-to-commit diff
  • Ensure that every dependency pinned by digest and sourced from GitHub.com and Github enterprise contains a link to the commit-to-commit diff
  • Ensure that every dependency pinned by digest and sourced from GitLab.com contains a link to the commit-to-commit diff
  • Correctly link to the source code for golang.org/x packages
  • Link to pkg.go.dev/... for golang.org/x packages' title
  • Provide a link to octochangelog's improved breakdown for Renovate's changelogs
  • Pin Docker digests.
  • Pin github-action digests.
  • Enable Renovate configuration migration PRs when needed.
  • Pin dependency versions for development dependencies.
  • Recommended configuration for abandoned packages, treating packages without a release for 1 year as abandoned, while taking into account community-sourced overrides.
  • Wait until the npm package is three days old before raising the update. This a) introduces a short delay to allow for malware researchers and scanners to (possibly) detect any malicious behaviour in packages, and b) prevents the maintainer and/or NPM from unpublishing a package you already upgraded to, breaking builds.
  • Run lock file maintenance (updates) early Monday mornings.

You have configured Renovate to use the following baseBranchPatterns: $default, /^rel-\d+-dev$/.

What to Expect

With your current configuration, Renovate will create 15 Pull Requests:

Pin dependencies (main)
Update sigstore/cosign-installer action to v3.10.1 (main)
  • Schedule: ["at any time"]
  • Branch name: renovate/main-sigstore-cosign-installer-3.x
  • Merge into: main
  • Upgrade sigstore/cosign-installer to 7e8b541eb2e61bf99390e1afd4be13a184e9ebc5
Update actions/checkout action to v6 (main)
  • Schedule: ["at any time"]
  • Branch name: renovate/main-actions-checkout-6.x
  • Merge into: main
  • Upgrade actions/checkout to df4cb1c069e1874edd31b4311f1884172cec0e10
Update oras-project/setup-oras action to v2 (main)
  • Schedule: ["at any time"]
  • Branch name: renovate/main-oras-project-setup-oras-2.x
  • Merge into: main
  • Upgrade oras-project/setup-oras to 38de303aac69abb66f3e6255b7198bff35f323e3
Update sigstore/cosign-installer action to v4 (main)
  • Schedule: ["at any time"]
  • Branch name: renovate/main-sigstore-cosign-installer-4.x
  • Merge into: main
  • Upgrade sigstore/cosign-installer to 6f9f17788090df1f26f669e9d70d6ae9567deba6
Pin dependencies (rel-1877-dev)
  • Schedule: ["at any time"]
  • Branch name: renovate/rel-1877-dev-pin-dependencies
  • Merge into: rel-1877-dev
  • Upgrade actions/checkout to 34e114876b0b11c390a56381ad16ebd13914f8d5
  • Upgrade ghcr.io/gardenlinux/builder to sha256:3dc78daebb56605baf105d2f20a6e8b94137237c1c2587b80d571fbb5c9f49ab
  • Upgrade oras-project/setup-oras to 22ce207df3b08e061f537244349aac6ae1d214f6
  • Upgrade sigstore/cosign-installer to 398d4b0eeef1380460a10c8013a76f728fb906ac
Update sigstore/cosign-installer action to v3.10.1 (rel-1877-dev)
  • Schedule: ["at any time"]
  • Branch name: renovate/rel-1877-dev-sigstore-cosign-installer-3.x
  • Merge into: rel-1877-dev
  • Upgrade sigstore/cosign-installer to 7e8b541eb2e61bf99390e1afd4be13a184e9ebc5
Update actions/checkout action to v6 (rel-1877-dev)
  • Schedule: ["at any time"]
  • Branch name: renovate/rel-1877-dev-actions-checkout-6.x
  • Merge into: rel-1877-dev
  • Upgrade actions/checkout to df4cb1c069e1874edd31b4311f1884172cec0e10
Update oras-project/setup-oras action to v2 (rel-1877-dev)
  • Schedule: ["at any time"]
  • Branch name: renovate/rel-1877-dev-oras-project-setup-oras-2.x
  • Merge into: rel-1877-dev
  • Upgrade oras-project/setup-oras to 38de303aac69abb66f3e6255b7198bff35f323e3
Update sigstore/cosign-installer action to v4 (rel-1877-dev)
  • Schedule: ["at any time"]
  • Branch name: renovate/rel-1877-dev-sigstore-cosign-installer-4.x
  • Merge into: rel-1877-dev
  • Upgrade sigstore/cosign-installer to 6f9f17788090df1f26f669e9d70d6ae9567deba6
Pin dependencies (rel-2150-dev)
  • Schedule: ["at any time"]
  • Branch name: renovate/rel-2150-dev-pin-dependencies
  • Merge into: rel-2150-dev
  • Upgrade actions/checkout to 34e114876b0b11c390a56381ad16ebd13914f8d5
  • Upgrade ghcr.io/gardenlinux/builder to sha256:d7063f72c0db3e7cdd618136efb292379794a0c4d4b5ddfc3759795c17d963ab
  • Upgrade oras-project/setup-oras to 22ce207df3b08e061f537244349aac6ae1d214f6
  • Upgrade sigstore/cosign-installer to 398d4b0eeef1380460a10c8013a76f728fb906ac
Update sigstore/cosign-installer action to v3.10.1 (rel-2150-dev)
  • Schedule: ["at any time"]
  • Branch name: renovate/rel-2150-dev-sigstore-cosign-installer-3.x
  • Merge into: rel-2150-dev
  • Upgrade sigstore/cosign-installer to 7e8b541eb2e61bf99390e1afd4be13a184e9ebc5
Update actions/checkout action to v6 (rel-2150-dev)
  • Schedule: ["at any time"]
  • Branch name: renovate/rel-2150-dev-actions-checkout-6.x
  • Merge into: rel-2150-dev
  • Upgrade actions/checkout to df4cb1c069e1874edd31b4311f1884172cec0e10
Update oras-project/setup-oras action to v2 (rel-2150-dev)
  • Schedule: ["at any time"]
  • Branch name: renovate/rel-2150-dev-oras-project-setup-oras-2.x
  • Merge into: rel-2150-dev
  • Upgrade oras-project/setup-oras to 38de303aac69abb66f3e6255b7198bff35f323e3
Update sigstore/cosign-installer action to v4 (rel-2150-dev)
  • Schedule: ["at any time"]
  • Branch name: renovate/rel-2150-dev-sigstore-cosign-installer-4.x
  • Merge into: rel-2150-dev
  • Upgrade sigstore/cosign-installer to 6f9f17788090df1f26f669e9d70d6ae9567deba6

🚸 PR creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or overwhelm the project. See docs for prHourlyLimit for details.

Warning

Please correct - or verify that you can safely ignore - these dependency lookup failures before you merge this PR.

  • Could not determine new digest for update (github-digest package actions/checkout)
  • Could not determine new digest for update (github-digest package actions/download-artifact)
  • Could not determine new digest for update (github-digest package actions/cache)

Files affected: .github/workflows/upload_oci.yml

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.

This PR was generated by Mend Renovate. View the repository job log.

toanju
toanju previously approved these changes Jun 11, 2026
View reviewed changes
anokfireball
anokfireball previously approved these changes Jun 11, 2026
View reviewed changes
Comment thread renovate.json Outdated
anokfireball
anokfireball reviewed Jun 11, 2026
View reviewed changes
Comment thread renovate.json Outdated
@toanju @anokfireball
Update renovate.json
e5c67bf 
Co-authored-by: Fabian Koller <10155170+anokfireball@users.noreply.github.com>
@toanju toanju dismissed stale reviews from anokfireball and themself via e5c67bf June 11, 2026 12:14
@toanju @anokfireball
Update renovate.json
c8fa5d0 
Co-authored-by: Fabian Koller <10155170+anokfireball@users.noreply.github.com>
This was referenced Jun 11, 2026
Merged
Merged
@toanju toanju merged commit 676d5a4 into main Jun 11, 2026
16 of 22 checks passed
@toanju toanju deleted the renovate/configure branch June 11, 2026 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@toanju toanju toanju approved these changes

@anokfireball anokfireball anokfireball approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@toanju @anokfireball