You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Roll out the accepted hybrid dependency-management policy from #453. Renovate owns routine version updates; GitHub Dependabot retains dependency graph alerts and security update pull requests.
Each merged child configuration extends local>z-shell/.github:renovate-config, adds :dependencyDashboardApproval, and disables Renovate vulnerability alerts so Dependabot remains the security-remediation owner. Zi alone preserves its non-default update target through baseBranchPatterns: ["next"].
No open Dependency Dashboard or config-warning issue exists for any of the eight repositories, and no fresh post-activation issue, Renovate PR, or Renovate-authored commit has appeared. Historical closed Renovate artifacts exist in src, wiki, and zd; they do not demonstrate current processing.
Thirteen routine Dependabot PRs remain open across z-a-meta-plugins, src, zi, zd, and wiki.
The safe Stage 2 deletion set remains empty until hosted processing and GitHub security settings are verified.
A fresh connected-GitHub-app repository read on 2026-07-18 reached all eight Stage 1 repositories and reported administrative repository permission, but the connector's normalized payload omitted security_and_analysis for every repository. This path therefore cannot prove dependency graph, Dependabot alert, or security-update settings; authenticated settings/API evidence is still required.
Renovate documents that the hosted app should attach a status to a renovate/reconfigure branch when it processes the repository, and that an all-repositories installation can operate in silent mode:
Inspect the Mend Renovate organization/repository status and mode, starting with Zi. Enable interactive processing for the intended repositories and trigger a run when necessary.
Observe the first configured update window after activation — Monday 2026-07-20, 00:00–04:00 UTC — and record dashboard/config evidence per repository.
Confirm dependency graph, Dependabot alerts, and Dependabot security updates remain enabled for every repository.
Perform Stage 2 atomically per repository: remove .github/dependabot.yml and the temporary dashboard-approval gate only after Renovate processing is proven, then confirm routine updates come only from Renovate.
Safety boundary
Do not approve a Dependency Dashboard item, merge Zi #352, close routine Dependabot PRs in bulk, or remove any child .github/dependabot.yml before the applicable hosted-processing and security-setting gates pass.
Summary
Roll out the accepted hybrid dependency-management policy from #453. Renovate owns routine version updates; GitHub Dependabot retains dependency graph alerts and security update pull requests.
Linear mirror: ZSH-22.
Policy gate
Satisfied: #453 merged to
mainon 2026-06-21 with ADR 0012,renovate-config.json, andrunbooks/dependency-management.md.Verified rollout state — 2026-07-18
Organization repository
z-shell/.github— migrated atomically in chore(deps): adopt hybrid Renovate and Dependabot ownership #453; routine Dependabot configuration removed.Stage 1 activation
z-shell/z-a-meta-plugins— Bump lowlighter/metrics from 3.27 to 3.28 #38 mergedz-shell/src— build(deps): bump actions/dependency-review-action from 3.0.8 to 3.1.0 #171 mergedz-shell/zi— Bump alpine from 3.20 to 3.21 in /actions/rclone #352 remains draftz-shell/wiki— #792 merged; supersedes closed onboarding #779z-shell/zd— Bump github/codeql-action from 2.1.37 to 2.1.38 #79 mergedz-shell/zsh-eza— build(deps): bump actions/dependency-review-action from 3.0.1 to 3.0.2 #72 mergedz-shell/zsh-lint— Bump actions/setup-node from 3.5.1 to 3.6.0 #75 mergedz-shell/zunit— Bump elstudio/actions-js-build from 2 to 4 #11 mergedEach merged child configuration extends
local>z-shell/.github:renovate-config, adds:dependencyDashboardApproval, and disables Renovate vulnerability alerts so Dependabot remains the security-remediation owner. Zi alone preserves its non-default update target throughbaseBranchPatterns: ["next"].Hosted-processing evidence
c6dba00fa492d268d67130e2680d53c1694c7fc7; Trunk is green andrenovate/reconfigurematches that head.src,wiki, andzd; they do not demonstrate current processing.security_and_analysisfor every repository. This path therefore cannot prove dependency graph, Dependabot alert, or security-update settings; authenticated settings/API evidence is still required.Renovate documents that the hosted app should attach a status to a
renovate/reconfigurebranch when it processes the repository, and that an all-repositories installation can operate in silent mode:Next gates
renovate-config-validatorrun before merging Bump alpine from 3.20 to 3.21 in /actions/rclone #352..github/dependabot.ymland the temporary dashboard-approval gate only after Renovate processing is proven, then confirm routine updates come only from Renovate.Safety boundary
Do not approve a Dependency Dashboard item, merge Zi #352, close routine Dependabot PRs in bulk, or remove any child
.github/dependabot.ymlbefore the applicable hosted-processing and security-setting gates pass.Triage
References
decisions/0012-hybrid-dependency-management.mdrunbooks/dependency-management.mdrenovate-config.json