Skip to content

workos/renovate-config

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
 
 
 
 
 
 
 
 

Repository files navigation

workos/renovate-config

Shared Renovate configuration presets for WorkOS repositories.

Purpose

Centralize dependency-management policy across the org so that a single edit propagates to every consuming repo. This repository provides two presets:

Preset File Best for
Default default.json Internal repositories with conservative update policies
Public public.json Public SDK and library repositories

Presets

Default (github>workos/renovate-config)

The base preset that all WorkOS repositories can extend. It implements supply-chain hardening and conservative dependency management:

  • Pins GitHub Actions to full commit SHAs via helpers:pinGitHubActionDigests. Any newly-added action referenced by tag (e.g. actions/checkout@v6) gets auto-pinned to a SHA with a version comment (@<sha> # v6).
  • Enforces a 7-day minimum release age (minimumReleaseAge: "7 days"). New action releases are not eligible for auto-update until they have been published for 7+ days.
  • Treats missing release timestamps as "not yet eligible" (minimumReleaseAgeBehaviour: "timestamp-required") — the safer default introduced in Renovate 42.
  • Suppresses branches for not-yet-eligible updates (internalChecksFilter: "strict") so the inbox stays quiet.
  • Groups and auto-merges minor/patch/digest GitHub Actions updates after CI passes. Major updates open a separate PR and require human review.
  • Patch-only policy for software dependencies by default — minor and major dependency updates are disabled in the base preset. Patch updates are auto-merged after CI passes and the 7-day minimum age is met. Patch PRs are labeled renovate/patch at creation time. Consuming repos can override this to enable minor updates (see Enabling minor updates).
  • Groups patch updates by dependency name — all packages that use the same dependency are updated in a single PR. This ensures monorepos with version-consistency policies (e.g. Rush) pass lockfile validation. For single-package repos this is a no-op.
  • After-hours schedule — Renovate only runs outside business hours for both US coasts: weekdays 9 PM–7 AM Eastern (6 PM–4 AM Pacific), and all day on weekends. The weekend window closes at 7 AM ET Monday.
  • Security/vulnerability PRs follow the same schedule — Renovate's built-in default creates vulnerability-fix PRs immediately (schedule: []), bypassing any configured schedule. This preset overrides that default so security PRs are only opened during the same after-hours window as regular updates.

Public (github>workos/renovate-config:public)

Extends the default preset with a more permissive update policy suited for public SDK and library repositories:

  • Inherits all base protections — SHA pinning, 7-day release age, GitHub Actions grouping.
  • Enables minor and major dependency updates — overrides the default patch-only policy.
  • Automerges minor and patch updates for all dependencies, grouped together.
  • Major updates require human review — not auto-merged.
  • Monthly schedule — runs on the 15th of each month before 12pm UTC.
  • No merge-queue labels — does not add labels like aviator/merge since public repos typically merge PRs directly.
  • Security/vulnerability PRs fire immediately — overrides the base preset's after-hours constraint so security fixes are not delayed in public repos.

How to use it

For internal repositories

In your repo's renovate.json:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["github>workos/renovate-config"]
}

For public SDK / library repositories

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["github>workos/renovate-config:public"]
}

GitHub Actions only

If you only want Renovate to manage GitHub Actions in your repo (and not, say, package.json), add enabledManagers:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["github>workos/renovate-config"],
  "enabledManagers": ["github-actions"]
}

You can also override anything from either preset locally — extends is mergeable.

Auto-approve workflow

For most repos, extending a preset is sufficient — Renovate will open and merge eligible PRs directly once CI passes.

Repos that use Aviator as their merge queue require an additional step, because Aviator enforces a minimum approval count before queuing a PR. For those repos, add a small workflow that calls the shared auto-approve workflow hosted here. Create .github/workflows/renovate-auto-approve.yml in your repo:

name: Auto-approve Renovate PRs

on:
  pull_request:
    types: [opened, labeled]

jobs:
  auto-approve:
    uses: workos/renovate-config/.github/workflows/auto-approve-renovate.yml@main
    permissions:
      pull-requests: write

This workflow approves any PR opened by renovate[bot] that carries the renovate/patch or renovate/minor label, satisfying Aviator's approval precondition. Aviator then queues the PR once CI passes.

Enabling minor updates

The default preset disables minor (and major) updates for software dependencies. To opt in to automerged minor updates in a consuming repo, add a packageRules entry that re-enables them and labels the PRs so the auto-approve workflow fires:

{
  "packageRules": [
    {
      "description": "Enable and automerge minor updates, grouped by dependency name.",
      "matchManagers": ["!github-actions"],
      "matchUpdateTypes": ["minor"],
      "enabled": true,
      "groupName": "{{{depName}}}",
      "groupSlug": "{{{depNameSanitized}}}",
      "automerge": true,
      "addLabels": ["renovate/minor"]
    }
  ]
}

The addLabels: ["renovate/minor"] is required — without it the auto-approve workflow's label check will never match and PRs will sit without approval.

Prerequisites

Repositories are managed by one of two Renovate runners:

Runner Repos postUpgradeTasks Setup
Self-hosted (.github/workflows/renovate.yml) Listed in .github/renovate-global-config.js Yes See below
Mend Renovate GitHub App All other repos No Install the app

Self-hosted runner

The self-hosted runner is a scheduled GitHub Actions workflow in this repository that runs the Renovate Docker container. It supports postUpgradeTasks (e.g. rush update for lockfile generation), which the Mend-hosted app cannot provide.

Configuration:

  • .github/workflows/renovate.yml — the workflow definition (schedule, runner, auth)
  • .github/renovate-global-config.js — self-hosted global config (repo list, allowed commands)

Required secrets (in this repo's Actions settings):

  • RENOVATE_APP_PRIVATE_KEY — private key for the GitHub App used by the runner
  • RENOVATE_APP_ID — GitHub App ID (stored as a variable, not a secret)
  • SOCKET_FIREWALL_TOKEN — token for the Socket Firewall npm registry proxy

Adding a repo to the self-hosted runner:

  1. Add the repo to repositories in .github/renovate-global-config.js
  2. Remove the repo from the Mend Renovate GitHub App's installation (Settings → Integrations → GitHub Apps → Renovate → Configure → deselect the repo)
  3. If the repo needs post-upgrade commands, add the command regex to allowedCommands in the global config and add postUpgradeTasks to the repo's renovate.json

Manual trigger: The workflow supports workflow_dispatch with optional dry-run and log-level inputs for testing.

Mend Renovate GitHub App

For repos not yet migrated to self-hosted, the Mend Renovate GitHub App must be installed on the repo (or installed org-wide). Check at the Mend dashboard.

Changing the policy

Open a PR against this repo. Once merged, the change applies to every consuming repo on Renovate's next run.

About

A Mend renovate config that can be inherited by other repositories

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors