Renovate dependency automation
IssueSuite uses Renovate for automated dependency updates with built-in lockfile synchronization enforcement. This guide explains the integration and best practices.
Overview
Section titled “Overview”Renovate automatically:
- Detects dependency updates in
pyproject.tomlanddocs/starlight/package.json - Creates pull requests for updates
- Runs
scripts/refresh-deps.shto synchronize lockfiles - Ensures
uv.lockandpackage-lock.jsonare always current
The CI workflow .github/workflows/dependencies.yml validates lockfile synchronization on every PR, blocking merge if drift is detected.
Configuration
Section titled “Configuration”IssueSuite’s Renovate configuration lives in renovate.json:
{ "extends": ["config:recommended"], "postUpgradeTasks": { "commands": ["./scripts/refresh-deps.sh"], "fileFilters": [ "pyproject.toml", "uv.lock", "docs/starlight/package.json", "docs/starlight/package-lock.json" ], "executionMode": "branch" }, "packageRules": [ { "matchManagers": ["github-actions"], "pinDigests": true, "description": "Pin GitHub Actions to exact commit SHAs" } ]}Key Features
Section titled “Key Features”Post-upgrade tasks: After updating dependencies, Renovate automatically runs refresh-deps.sh to regenerate lockfiles before committing.
File filters: Ensures both manifest files and their lockfiles are included in the PR.
GitHub Actions pinning: Security best practice — actions are pinned to commit SHAs and updated with digest changes.
Workflow
Section titled “Workflow”Automatic Updates
Section titled “Automatic Updates”- Renovate detects a new version (e.g.,
ruff 0.14.0 → 0.14.1) - Updates
pyproject.tomlwith new version - Runs
./scripts/refresh-deps.shto updateuv.lock - Commits both files to a PR
- CI validates lockfile synchronization passes
- PR is ready for review
Manual Override
Section titled “Manual Override”If you need to update dependencies manually:
# Edit pyproject.toml or package.jsonvim pyproject.toml
# Regenerate lockfiles./scripts/refresh-deps.sh
# Validate synchronization./scripts/refresh-deps.sh --check
# Commit both manifest and lockfilesgit add pyproject.toml uv.lockgit commit -m "chore(deps): update ruff to 0.14.1"Security Model
Section titled “Security Model”Renovate’s postUpgradeTasks execute with repository write access in an isolated branch context. IssueSuite’s security posture:
✅ Script is version-controlled — Changes to refresh-deps.sh require code review
✅ No external inputs processed — Script only reads local manifests
✅ Isolated execution — Runs in branch before merge
✅ CI validation — All changes validated by quality gates
See ADR-0002 for the full security assessment.
Troubleshooting
Section titled “Troubleshooting”Renovate PR has stale lockfiles
Section titled “Renovate PR has stale lockfiles”Symptom: Renovate PR fails CI with “Lockfiles out of sync”
Cause: postUpgradeTasks didn’t run or failed silently
Solution:
- Check Renovate logs for task execution errors
- Manually run
./scripts/refresh-deps.shin the PR branch - Push updated lockfiles
Merge conflicts in lockfiles
Section titled “Merge conflicts in lockfiles”Symptom: Renovate PR conflicts with main branch lockfiles
Cause: Multiple dependency PRs merged in different order
Solution:
- Rebase the Renovate PR: Renovate will automatically rerun
refresh-deps.sh - Or manually resolve: Pull main, run
refresh-deps.sh, force-push
Dependency not updating
Section titled “Dependency not updating”Symptom: Expected dependency update not appearing
Possible causes:
- Dependency is pinned in manifest (
==instead of>=) - Renovate schedule doesn’t match your expectations
- Package rule is excluding the update
Solution: Check renovate.json configuration and Renovate dashboard logs
Best Practices
Section titled “Best Practices”For Contributors
Section titled “For Contributors”✅ Let Renovate handle routine updates — Don’t manually bump versions for minor/patch updates
✅ Review security updates promptly — Renovate flags these as high priority
✅ Test major updates locally — Use nox -s tests before approving
✅ Keep lockfiles synchronized — Run refresh-deps.sh after manual changes
For Maintainers
Section titled “For Maintainers”✅ Configure automerge carefully — Consider enabling for patch/minor updates with passing tests
✅ Group related updates — Use Renovate’s grouping feature for related packages
✅ Schedule updates appropriately — Avoid merge conflicts by scheduling outside active development windows
✅ Monitor Renovate dashboard — Track pending updates and rate limit status
Integration with ADRs
Section titled “Integration with ADRs”This integration implements architectural decisions from:
-
ADR-0002: Automated Dependency Synchronization Enforcement Renovate’s
postUpgradeTasks+ CI validation prevent lockfile drift -
ADR-0004: Development Environment Parity Lockfile synchronization ensures consistent tool versions across environments
Success Metrics
Section titled “Success Metrics”Track these indicators (see Gap Analysis):
- ✅ Zero lockfile drift incidents in merged PRs
- ✅ Zero manual lockfile updates needed in Renovate PRs
- ✅ 100% of dependency updates include lockfile changes
- ✅ Advisory refresh runs automatically with security updates
Related Documentation
Section titled “Related Documentation”- Dependency Synchronization Workflow — Manual dependency update process
- ADR Index — Architecture decision records
- CI/CD Automation — GitHub Actions workflows