Chore/renovate migration

[thewrz]

Moving from Dependabot to Renovate for more granular control of depedencies and gating their release before auto-merging.

It's a new landscape of uv/pip/npm/cargo etc. getting pwnt by CVEs that attack the dependency pipeline itself.

Need better control and management of these dependencies.

Summary by CodeRabbit

• Chores
  • Replaced dependency update automation from Dependabot to Renovate
  • Disabled automatic merging of dependency updates
  • Added 7-day minimum release age requirement for dependencies

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR migrates dependency management from Dependabot to Renovate Bot. The Dependabot configuration and auto-merge workflow are removed, replaced by a new Renovate configuration that applies recommended defaults, enforces a 7-day release age, disables automerge, and defines update grouping and labeling rules for GitHub Actions and npm packages.

Changes

Dependabot to Renovate Migration

Layer / File(s)	Summary
Renovate Bot configuration renovate.json	New configuration file enables Renovate with config:recommended, sets minimumReleaseAge to 7 days, disables automerge, applies baseline dependencies label and commit message prefix, and adds package rules for github-actions (labeled ci, prefixed chore(ci):) and npm-server grouping.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Dependabot departs with grace,
Renovate steps into its place!
Seven days to let things brew,
Labels, groups, and auto-merge true.
Dependencies flow with purpose clear. 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Chore/renovate migration' directly and clearly describes the main change: migrating from Dependabot to Renovate for dependency management.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/renovate-migration

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

renovate.json (1)

8-19: 💤 Low value

Consider explicit rules for additional package managers mentioned in the PR.

The PR motivation specifically mentions CVEs targeting "uv/pip/npm/cargo, etc." but only npm and github-actions have explicit package rules defined. Other managers (pip, cargo, uv) will inherit the global settings. While this may be intentional, consider whether you need manager-specific grouping, labeling, or update strategies for Python (pip/uv) and Rust (cargo) dependencies similar to what you've configured for npm and GitHub Actions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@renovate.json` around lines 8 - 19, The packageRules currently only target
"github-actions" and "npm" under the packageRules array; add explicit rules for
the other managers mentioned (e.g., "pip", "pip_requirements" or "pip-compile"
if relevant, "cargo", and "uv" or the Renovate name used for your Python
vendoring) so they don't just inherit global defaults—create new objects with
matchManagers set to each manager name and configure groupName, labels, and
commitMessagePrefix as appropriate (for example, a python/pip rule with label
"python" and a cargo rule with label "rust" or a security-focused group),
referencing the existing packageRules structure and keys ("matchManagers",
"labels", "groupName", "commitMessagePrefix") to mirror the npm/github-actions
entries.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@renovate.json`:
- Around line 8-19: The packageRules currently only target "github-actions" and
"npm" under the packageRules array; add explicit rules for the other managers
mentioned (e.g., "pip", "pip_requirements" or "pip-compile" if relevant,
"cargo", and "uv" or the Renovate name used for your Python vendoring) so they
don't just inherit global defaults—create new objects with matchManagers set to
each manager name and configure groupName, labels, and commitMessagePrefix as
appropriate (for example, a python/pip rule with label "python" and a cargo rule
with label "rust" or a security-focused group), referencing the existing
packageRules structure and keys ("matchManagers", "labels", "groupName",
"commitMessagePrefix") to mirror the npm/github-actions entries.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 15080c41-03f0-49dd-badb-5f96037cecae

📥 Commits

Reviewing files that changed from the base of the PR and between 848e1f1 and a68c00f.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/workflows/dependabot-auto-merge.yml
• renovate.json

💤 Files with no reviewable changes (2)

• .github/dependabot.yml
• .github/workflows/dependabot-auto-merge.yml