Skip to content

chore(deps): migrate repositories to hybrid Renovate ownership #452

Description

@ss-o

Summary

Roll out the accepted hybrid dependency-management policy from #453. Renovate owns routine version updates; GitHub Dependabot retains dependency graph alerts and security update pull requests.

Linear mirror: ZSH-22.

Policy gate

Satisfied: #453 merged to main on 2026-06-21 with ADR 0012, renovate-config.json, and runbooks/dependency-management.md.

Verified rollout state — 2026-07-18

Organization repository

Stage 1 activation

Each merged child configuration extends local>z-shell/.github:renovate-config, adds :dependencyDashboardApproval, and disables Renovate vulnerability alerts so Dependabot remains the security-remediation owner. Zi alone preserves its non-default update target through baseBranchPatterns: ["next"].

Hosted-processing evidence

  • Zi Bump alpine from 3.20 to 3.21 in /actions/rclone #352 is mergeable at c6dba00fa492d268d67130e2680d53c1694c7fc7; Trunk is green and renovate/reconfigure matches that head.
  • No Renovate status is attached to that Zi head.
  • No open Dependency Dashboard or config-warning issue exists for any of the eight repositories, and no fresh post-activation issue, Renovate PR, or Renovate-authored commit has appeared. Historical closed Renovate artifacts exist in src, wiki, and zd; they do not demonstrate current processing.
  • Thirteen routine Dependabot PRs remain open across z-a-meta-plugins, src, zi, zd, and wiki.
  • The safe Stage 2 deletion set remains empty until hosted processing and GitHub security settings are verified.
  • A fresh connected-GitHub-app repository read on 2026-07-18 reached all eight Stage 1 repositories and reported administrative repository permission, but the connector's normalized payload omitted security_and_analysis for every repository. This path therefore cannot prove dependency graph, Dependabot alert, or security-update settings; authenticated settings/API evidence is still required.

Renovate documents that the hosted app should attach a status to a renovate/reconfigure branch when it processes the repository, and that an all-repositories installation can operate in silent mode:

Next gates

  1. Inspect the Mend Renovate organization/repository status and mode, starting with Zi. Enable interactive processing for the intended repositories and trigger a run when necessary.
  2. Require a hosted Renovate status on Zi's exact reconfigure head, or explicitly authorize a trusted local renovate-config-validator run before merging Bump alpine from 3.20 to 3.21 in /actions/rclone #352.
  3. Observe the first configured update window after activation — Monday 2026-07-20, 00:00–04:00 UTC — and record dashboard/config evidence per repository.
  4. Confirm dependency graph, Dependabot alerts, and Dependabot security updates remain enabled for every repository.
  5. Resolve retained routine Dependabot PRs deliberately.
  6. Perform Stage 2 atomically per repository: remove .github/dependabot.yml and the temporary dashboard-approval gate only after Renovate processing is proven, then confirm routine updates come only from Renovate.

Safety boundary

Do not approve a Dependency Dashboard item, merge Zi #352, close routine Dependabot PRs in bulk, or remove any child .github/dependabot.yml before the applicable hosted-processing and security-setting gates pass.

Triage

  • Suggested item type: Maintenance
  • Priority: High
  • Effort: Medium
  • Status: In progress

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:dependenciesDependency updates or dependency-management work.meta:org-trackedAuto-add this issue to the org-wide Z-Shell Tracker.priority:highNeeds prompt attention.type:maintenanceNon-feature maintenance, cleanup, or org work.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions