chore: migrate from Dependabot to Renovate

nigel-dev · nigel-dev · commit 87989ccd92ab · 2026-02-11T22:15:33.000-06:00
Replace Dependabot with Renovate for dependency management.
Renovate has native Bun support and correctly handles bun.lock,
which Dependabot does not — causing CI failures on every PR.

Config highlights:
- Groups non-major npm updates into single PRs
- Separate PRs for major version bumps (require review)
- Groups GitHub Actions updates
- Auto-merges minor/patch updates
- Uses chore(deps): and ci(deps): conventional commit prefixes
- Weekend schedule to avoid weekday noise
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
diff --git a/AGENTS.md b/AGENTS.md
@@ -48,7 +48,7 @@ If tests fail, identify whether failures are pre-existing vs introduced by your
 - **Conventional Commits** (`.github/workflows/conventional-commits.yml`) — Validates PR titles follow the convention.
 - **CodeQL** (`.github/workflows/codeql.yml`) — Static analysis for TypeScript; runs on PRs, pushes to `main`, and weekly.
 - **Publish** (`.github/workflows/publish.yml`) — semantic-release to npm on `main`.
-- **Dependabot** (`.github/dependabot.yml`) — Opens weekly PRs for npm and GitHub Actions dependency updates. These use `chore(deps):` and `ci(deps):` commit prefixes.
+- **Renovate** (`renovate.json`) — Automated dependency updates via the Renovate GitHub App. Groups non-major npm updates, creates separate PRs for majors, and auto-merges minor/patch. Uses `chore(deps):` and `ci(deps):` commit prefixes.
 
 ## Branch & Merge Rules
 
diff --git a/renovate.json b/renovate.json
@@ -0,0 +1,39 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    "schedule:weekends",
+    ":semanticCommits",
+    ":automergeMinor",
+    ":automergePatch"
+  ],
+  "labels": ["dependencies"],
+  "prHourlyLimit": 3,
+  "prConcurrentLimit": 5,
+  "rebaseWhen": "behind-base-branch",
+  "packageRules": [
+    {
+      "description": "Group non-major npm dependency updates",
+      "matchManagers": ["bun"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "npm non-major dependencies",
+      "commitMessagePrefix": "chore(deps):",
+      "labels": ["dependencies"]
+    },
+    {
+      "description": "Major npm dependency updates (separate PRs for review)",
+      "matchManagers": ["bun"],
+      "matchUpdateTypes": ["major"],
+      "commitMessagePrefix": "chore(deps):",
+      "labels": ["dependencies"],
+      "automerge": false
+    },
+    {
+      "description": "Group GitHub Actions updates",
+      "matchManagers": ["github-actions"],
+      "groupName": "github actions",
+      "commitMessagePrefix": "ci(deps):",
+      "labels": ["dependencies", "ci"]
+    }
+  ]
+}
